From owner-freebsd-questions@FreeBSD.ORG Sat Jan 29 02:42:42 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C618106564A for ; Sat, 29 Jan 2011 02:42:42 +0000 (UTC) (envelope-from freebsd-questions@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 3641A8FC14 for ; Sat, 29 Jan 2011 02:42:41 +0000 (UTC) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.186]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 163145C44 for ; Sat, 29 Jan 2011 12:49:46 +1000 (EST) Message-ID: <4D437DD6.4030202@herveybayaustralia.com.au> Date: Sat, 29 Jan 2011 12:39:18 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.16) Gecko/20101227 Thunderbird/3.0.11 ThunderBrowse/3.3.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: PF firewall rules and documentation X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jan 2011 02:42:42 -0000 I spent some time playing with pf and pf.conf, and followed the directions in the handbook. It redirected me to the openbsd site for pf.conf, and recommended it as the most comprehensive documentation for pf. Firstly, I didn't find that. I had to translate the instructions into the current version used in FreeBSD, OpenBSD appears to be further advanced than this based on the current docs. Secondly, some of the rules don't appear to be following. From my understanding based on the documentation in the handbook and on the site pf is default allowing traffic. So explicit rules to block should be set first and then rules set to allow what is needed in. Some assumptions are made in the rules by the interpreter, so according to OpenBSD one can (even in the older versions) simply state block and it is interpreted as 'block on $interfaces all'. This turned out to not be the case. I know this has come up before, but I think it might be time to document pf.conf properly. It seems to be a bit of security risk not to. Users may be mistaken in their belief of their security on the network using pf, and may be less likely to trust again when it breaks. Cheers