Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 29 Jan 2011 12:39:18 +1000
From:      Da Rock <freebsd-questions@herveybayaustralia.com.au>
To:        freebsd-questions@freebsd.org
Subject:   PF firewall rules and documentation
Message-ID:  <4D437DD6.4030202@herveybayaustralia.com.au>

Next in thread | Raw E-Mail | Index | Archive | Help
I spent some time playing with pf and pf.conf, and followed the 
directions in the handbook. It redirected me to the openbsd site for 
pf.conf, and recommended it as the most comprehensive documentation for pf.

Firstly, I didn't find that. I had to translate the instructions into 
the current version used in FreeBSD, OpenBSD appears to be further 
advanced than this based on the current docs.

Secondly, some of the rules don't appear to be following. From my 
understanding based on the documentation in the handbook and on the site 
pf is default allowing traffic. So explicit rules to block should be set 
first and then rules set to allow what is needed in. Some assumptions 
are made in the rules by the interpreter, so according to OpenBSD one 
can (even in the older versions) simply state block and it is 
interpreted as 'block on $interfaces all'. This turned out to not be the 
case.

I know this has come up before, but I think it might be time to document 
pf.conf properly. It seems to be a bit of security risk not to. Users 
may be mistaken in their belief of their security on the network using 
pf, and may be less likely to trust again when it breaks.

Cheers



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4D437DD6.4030202>