View Single Post
Old 16th September 2012
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284

As a suggestion, you should annotate your pf.conf file with your own thoughts, understandings, and misgivings. Drill down on every line to understand WHY it is there. pf is there to guard your system, so if you can't vet your guards, how can you be sure they are guarding you?

One misgiving that is repeated in the OpenBSD community is that a great deal of software (generally speaking here) is written for feature and functionality first, and then has security added later. This is a terrible approach, and is one major reason why you don't see tons of new software in the OpenBSD system. Translate that into your use of the system itself (and in this case securing the system via pf), and you can see that it's better to be sure you are secure first, and then able to do all the fun stuff that you want to do.

If you contribute pf.conf files to others for review, having it well annotated can not only help them get 'up to speed' on your setup faster, but it can also show them that you are sure about certain things and not sure about others. Correcting a misunderstanding here (even if you were 'sure' about it) is a much more gracious event than correcting a 'cut-n-paste' situation.

Also, pf can be quite complex- asking a question here about a single function or line is not a bad thing at all (given proper context, of course), and may provide the ability to show the rest of the forum how a particular thing should be done in pf. It also tends to keep people focused .
Network Firefighter
Reply With Quote