Quote:
Originally Posted by Oko
This is exactly what I wanted to hear. I have never understood why people are leaving domain (udp) totally open when passing out and keeping state
will work for most users.
|
It really depends on the individual ruleset Oko.
There are 2 primary types of rulesets (..probably more):
- pass .. all, packets are passed unless they match a future block rule. (Default)
- block .. all, packets are blocked unless they match a future pass rule.
As you can see, pf is a very flexible tool.. users are free to design a ruleset that fits their personal mentality.
In my case, I pass all outgoing IPv4 TCP/UDP/ICMP traffic (..with state) from my /24 private LAN.. but I block all incoming traffic except for whatever I implicitly allow.
Quote:
Originally Posted by Oko
Does one really need to antispoof lo? I noticed the man pages do recommend antispoofing on lo but most people do not have it.
Having in mind that I am setting skip on lo antispoof should do nothing on
lo anyway. Am I mistaken?
|
Some people might, but considering you have
set skip on lo, no packets on interfaces in the
lo group will be matched.. thusly the default rule to pass all packets is enforced.
I know it can sound confusing, but reading the pf FAQ and the man pages can make it all become clearer.. I've been using OpenBSD+pf for a long time now, but I still tweak my rulesets occasionally.