Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 20 Feb 2005 06:23:39 -0800
From:      "Loren M. Lang" <lorenl@alzatex.com>
To:        Pat Maddox <pergesu@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Configuring PF
Message-ID:  <20050220142339.GD4471@alzatex.com>
In-Reply-To: <810a540e050214203221952797@mail.gmail.com>
References:  <810a540e050214203221952797@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Feb 14, 2005 at 09:32:25PM -0700, Pat Maddox wrote:
> I want to install a firewall on my system.  First of all, is PF the
> one I should be using?  It seems to get the most recommendations.
> 
> I don't actually seem to have any problems configuring it - I just
> have some problems testing the configuration.  I can ssh to the box,
> and I can access port 80...but I'd like to be able to just scan it to
> quickly see what's up.  When PF is disabled, I can nmap it in about 9
> seconds.  When I turn it on, it takes over 3 minutes to do.  These
> machines are on the same network, so the connection is obviously fast.

This is a good thing, IMHO.  Think about all those script kiddies
sitting out there looking for a nice, juicy server to compromise.  If it
takes them 3 minutes to port scan your machine, they'll probably cancel
it before it's finished and move on.

I believe what's happening is that all ports that aren't open are
configured to drop packets instead of reject them like is default.
Reject means send back an error message saying port is closed where
dropping just ignores it.  The port scanner sends out a request and
waits for a response, either "Hello," or "Sorry, I'm closed."  It will
wait quite a while before it decides that nothings there.

> 
> Are there any good, pretty simple guides on setting up PF?  I'm having
> a tough time understanding what the rulesets all mean.
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

-- 
I sense much NT in you.
NT leads to Bluescreen.
Bluescreen leads to downtime.
Downtime leads to suffering.
NT is the path to the darkside.
Powerful Unix is.

Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: B3B9 D669 69C9 09EC 1BCD  835A FAF3 7A46 E4A3 280C

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050220142339.GD4471>