Date: Mon, 31 Jan 2011 20:58:24 +1000 From: Da Rock <freebsd-questions@herveybayaustralia.com.au> To: freebsd-questions@freebsd.org Subject: Re: PF firewall rules and documentation Message-ID: <4D4695D0.1040604@herveybayaustralia.com.au> In-Reply-To: <20110131113058.71d4e4e8@mr129041.univ-rennes1.fr> References: <4D437DD6.4030202@herveybayaustralia.com.au> <20110131113058.71d4e4e8@mr129041.univ-rennes1.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/31/11 20:30, Patrick Lamaiziere wrote: > Le Sat, 29 Jan 2011 12:39:18 +1000, > Da Rock<freebsd-questions@herveybayaustralia.com.au> a écrit : > > >> I spent some time playing with pf and pf.conf, and followed the >> directions in the handbook. It redirected me to the openbsd site for >> pf.conf, and recommended it as the most comprehensive documentation >> for pf. >> >> Firstly, I didn't find that. I had to translate the instructions into >> the current version used in FreeBSD, OpenBSD appears to be further >> advanced than this based on the current docs. >> > Yes, you should refer to the OpenBSD 4.1 Packet FAQ : > http://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq41.pdf > > >> Secondly, some of the rules don't appear to be following. From my >> understanding based on the documentation in the handbook and on the >> site pf is default allowing traffic. >> > According to a current discussion on misc@openbsd.org. It allows > traffic to pass but without creating states. > Exactly. 'permitting' is the term in the handbook I believe. > >> So explicit rules to block >> should be set first and then rules set to allow what is needed in. >> Some assumptions are made in the rules by the interpreter, so >> according to OpenBSD one can (even in the older versions) simply >> state block and it is interpreted as 'block on $interfaces all'. This >> turned out to not be the case. >> > Ah? Do have an example for this? > Yes. Me unfortunately, but I did manage to pick it up quite quickly though. I had a little thief attack one of my ports and attempt login on the firewall. I had to change it to 'block in $log on $ext_if all block out $log on $ext_if all' to actually block the traffic. Bit of a doozy really, I'm still monitoring the traffic very closely with tcpdump on the interface and not the log. Thankfully I was also getting ready to update and completely rebuild most (scratch that- all) of my systems to newer and more manageable levels. > > >> I know this has come up before, but I think it might be time to >> document pf.conf properly. It seems to be a bit of security risk not >> to. Users may be mistaken in their belief of their security on the >> network using pf, and may be less likely to trust again when it >> breaks. >> > This is true, many things are now more precise in the manual page of > OpenBSD's PF. But it will be hard to merge only these precisions in our > pf.conf manual page. > > There are some plans to update PF to a more recent version. So may > be it will be better. > Actually, that sounds like a better idea than mine ;) Kills 2 birds with one stone then...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D4695D0.1040604>