View Single Post
  #9   (View Single Post)  
Old 13th March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Take a look at these two educational references for PF that ocicat mentioned in another thread earlier today:

http://www.daemonforums.org/showthre...2956#post21913

These may be helpful.
Quote:
My purpose of the pf firewall is to secure my PC from some sort of attack.
As you already know, the default installation is considered secure. But nobody runs the default install. Even if we don't add any 3rd-party packages, we make configuration changes, add users ... enable services ... and do other administrative tasks that may introduce weaknesses or attack vectors.

Knowledge of our networking applications is key.

For instance, let us pretend that you have decided to start ftpd(8), and run an ftp server. It is not enabled in the default install. So you enable it, either in inetd.conf(5) or in rc.conf.local(5).

Some of the most obvious attack vectors to consider:
  • Anonymous FTP misconfiguration
  • Allowing password authentication, and the implications for packet sniffing
  • Poor passwords
  • Common userids
  • Brute force password attacks
  • Authenticated users and improper access
  • ...
There are plenty of things to consider, and plenty of ways to make mistakes without even realizing it.

Will PF help? Perhaps. I might use PF to limit FTP client access from a particular set of IP addresses or network blocks, or, I might use state table management to set limits on anonymous FTP connections.

FTP is a good example. To use PF to allow (or deny) FTP, the admin needs to know the protocol it uses, and the ports. If you elect to offer an FTP service ... do you know it uses different ports depending on whether "Active FTP" or "Passive FTP" is used? Do you know it uses a range of high port numbers for data channels? And, that the initiator of the data backchannel may be the client, or the server, depending on Active/Passive FTP?

On to your next network application....
Reply With Quote