View Single Post
  #4   (View Single Post)  
Old 13th May 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Quote:
Originally Posted by Oko View Post
This is exactly what I wanted to hear. I have never understood why people are leaving domain (udp) totally open when passing out and keeping state
will work for most users.
It really depends on the individual ruleset Oko.

There are 2 primary types of rulesets (..probably more):
  • pass .. all, packets are passed unless they match a future block rule. (Default)
  • block .. all, packets are blocked unless they match a future pass rule.
As you can see, pf is a very flexible tool.. users are free to design a ruleset that fits their personal mentality.

In my case, I pass all outgoing IPv4 TCP/UDP/ICMP traffic (..with state) from my /24 private LAN.. but I block all incoming traffic except for whatever I implicitly allow.

Quote:
Originally Posted by Oko View Post
Does one really need to antispoof lo? I noticed the man pages do recommend antispoofing on lo but most people do not have it.
Having in mind that I am setting skip on lo antispoof should do nothing on
lo anyway. Am I mistaken?
Some people might, but considering you have set skip on lo, no packets on interfaces in the lo group will be matched.. thusly the default rule to pass all packets is enforced.

I know it can sound confusing, but reading the pf FAQ and the man pages can make it all become clearer.. I've been using OpenBSD+pf for a long time now, but I still tweak my rulesets occasionally.
Reply With Quote