Date: Tue, 1 Mar 2005 11:44:19 -0500 From: Madhusudan Singh <singh.madhusudan@gmail.com> To: freebsd-questions@freebsd.org Subject: A possibly simple query about pf on FreeBSD 5.3-RELEASE Message-ID: <ace7b43805030108447a2b2689@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
After nearly a week of fighting the dual problem of OpenBSD 3.6 release freezing on my hardware, and some rather odious personalities on the misc@openbsd mailing list, I decided to install FreeBSD 5.3-RELEASE on the web server I am deploying and stick to it. I went through the webpage on firewalling on FreeBSD (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html) and decided to pick pf as my firewall solution. The OpenBSD guide on this simply and elegantly written and is very easy to get the hang of. I have created a packet filtering ruleset in /etc/pf.conf, enabled the switches in /etc/rc.conf and am fiddling around with it. I tried to connect on port ssh (22, I think) and did a few tests with different IP addresses and it works as I expect. Since this beast is going to be a webserver, I wrote the following filter for port www : (previously blocking all and scrubbing all of course) pass in on $ext_if proto tcp from any to $ext_if \ port www flags S/SA keep state \ (max 200,source-track rule,max-src-nodes 100,max-src-states 3) Question : Is the above a reasonably good rule for my situation (if you have further questions, fire away) ? Second, whenever I load my rule set (pfctl -f /etc/pf.conf), I get a warning : No ALTQ support in kernel ALTQ related functions disabled Now, I would probably want to use queueing and bandwidth allotment if I am to run a webserver that allows a few IP addresses to connect via ssh. Question : How do I enable ALTQ support in the kernel ? And since I have the choice of either using a loadable module for pf (like I am doing) or compiling in PF support into the kernel, which is better from a security and performance pov ? Another issue, unrelated to pf : I am trying to install plone, zope (and a bunch of zope/plone related packages) and apache on the machine. However, the pkg_add process quit with some errors for some of the packages and refered me to some log (which log ?) during installation. Question : Are versions in the ports tree for these packages "kosher", i.e., do they compile, install and work cleanly ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ace7b43805030108447a2b2689>