Date: Sun, 30 Jan 2011 15:52:27 +1000 From: Da Rock <freebsd-questions@herveybayaustralia.com.au> To: freebsd-questions@freebsd.org Subject: Re: PF firewall rules and documentation Message-ID: <4D44FC9B.5010404@herveybayaustralia.com.au> In-Reply-To: <AANLkTimsVrhPj7tbNNdqVgUc%2BnvQ1B2AryA8-mNZoBUy@mail.gmail.com> References: <4D437DD6.4030202@herveybayaustralia.com.au> <AANLkTimsVrhPj7tbNNdqVgUc%2BnvQ1B2AryA8-mNZoBUy@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/29/11 23:50, IƱigo Ortiz de Urbina wrote: > I think that kind of user should never be in charge of anything security related > Reading my own post I realise I forgot my question due to kiddie issues that were occuring in my vicinity. That is, how would one go about this? As for user suitability, how else does one learn if not through practice? > On 1/29/11, Da Rock<freebsd-questions@herveybayaustralia.com.au> wrote: > >> I spent some time playing with pf and pf.conf, and followed the >> directions in the handbook. It redirected me to the openbsd site for >> pf.conf, and recommended it as the most comprehensive documentation for pf. >> >> Firstly, I didn't find that. I had to translate the instructions into >> the current version used in FreeBSD, OpenBSD appears to be further >> advanced than this based on the current docs. >> >> Secondly, some of the rules don't appear to be following. From my >> understanding based on the documentation in the handbook and on the site >> pf is default allowing traffic. So explicit rules to block should be set >> first and then rules set to allow what is needed in. Some assumptions >> are made in the rules by the interpreter, so according to OpenBSD one >> can (even in the older versions) simply state block and it is >> interpreted as 'block on $interfaces all'. This turned out to not be the >> case. >> >> I know this has come up before, but I think it might be time to document >> pf.conf properly. It seems to be a bit of security risk not to. Users >> may be mistaken in their belief of their security on the network using >> pf, and may be less likely to trust again when it breaks. >> >> Cheers >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >> >> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D44FC9B.5010404>