![]() |
|
OpenBSD Security Functionally paranoid! |
![]() |
|
Thread Tools | Display Modes |
|
|||
![]()
I just have a desktop computer, but can't get PF to do anything other than block everything.
![]() I tried this from the FAQ and it blocks all traffic: http://www.openbsd.org/faq/pf/filter.html doas pfctl -ef /etc/pf.conf.X2 Code:
block all # Pass TCP traffic in to the web server running on the OpenBSD machine. pass in on egress proto tcp from any to egress port www doas pfctl -ef /etc/pf.conf Code:
set skip on lo block return # block stateless traffic pass # establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 index 3 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr f0:79:59:dd:c4:a3 index 1 priority 0 llprio 3 groups: egress media: Ethernet autoselect (10baseT full-duplex,rxpause,txpause) status: active inet 192.168.11.5 netmask 0xffffff00 broadcast 192.168.11.255 enc0: flags=0<> index 2 priority 0 llprio 3 groups: enc status: active pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144 index 4 priority 0 llprio 3 groups: pflog |
|
||||
![]()
Hello, and welcome!
Let's diagnose your problem by looking at the rule set you copied and pasted from the FAQ: Code:
block all pass in on egress proto tcp from any to egress port www
PF is a wonderful tool. It really is. But in order to successfully use it, you need to have an understanding of how communications over computer networks is conducted, and how the applications you want to use -- such as browsing the web -- actually communicate. If you don't have this knowledge, then PF won't be a useful too. Blindly copying and pasting, then hoping for success, will be a frustrating experience. Peter Hansteen, the author of The Book of PF, always starts his tutorial sessions by having his audience stand and recite the following Pledge of the Network Admin. Code:
This is my network. It is mine or technically my employer’s, it is my responsibility and I care for it with all my heart There are many other networks a lot like mine, but none are just like it. I solemnly swear that I will not mindlessly paste from HOWTOs. If you'd like to learn more about networking than you may know today, I recommend Networking for Systems Administrators by Michael W. Lucas. (I own both books.) |
|
|||
![]()
Thanks jggimi, I thought that www was passing to a web browser. I will take a look at those books.
BTW first rule I got to match something. Quote:
|
![]() |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
Help getting Jail started... | bforest | FreeBSD General | 20 | 9th December 2014 02:43 AM |
Trying to get started translating OpenBSD Documentaion | qmemo | OpenBSD General | 6 | 12th July 2009 12:50 PM |
Pf Nat getting started ?? | neurosis | FreeBSD Security | 11 | 16th November 2008 08:58 PM |
Apache : httpd could not be started | lalebarde | General software and network | 13 | 13th November 2008 11:51 PM |
Getting started with DTrace | tanked | FreeBSD General | 2 | 25th June 2008 09:21 AM |