|
|
|||
PF mods
Greetings all, I was reading on the changes to PF and found this below interesting. Wondering if anyone had any updated 4.6 pf.conf rules they would like to share.
I had removed my scrub option from 4.5 conf to work with 4.6, any examples of "one kind of packet reassmbly" and "match" syntax. Thx. Quote:
__________________
The more you learn, the more you realize how little you know .... Last edited by There0; 18th November 2009 at 07:17 AM. |
|
|||
In case anyone was wondering what the scrub rule was the I was using that worked in 4.5 and not in 4.6 is below.
Quote:
__________________
The more you learn, the more you realize how little you know .... |
|
||||
It may or may not matter. This example was from my home network, The reason I chose inside for randomization was there is WiFi, here, protected without WEP/WAP, but protected with IPSec or SSH. Sometimes, a Senior Executive (a.k.a. my wife) wants to get on without fiddling with her IPSec client, or doesn't realize it is disengaged or inoperative. She is allowed to connect unencrypted, and the only financial data she touches uses SSL.
Hence, my attempt to eliminate a common area of weakness, under the assumption that her management fiat is more powerful than both technical correctness and sanity. |
|
|||
Sounds like my house..
__________________
All posts sent on ReCycled Electrons... |
|
|||
Should I be glad I am not married?
Thx for the examples Jggimi, I am wondering where you get all this updated info from? must be many sources? I scour quite frequently and own many ebooks but have not seen this for PF yet. Is there any resources I maybe missing for data like this? I am assuming the mailing list have the most uptodate and correct information? Thx again for sharing, I know how much time and effort it takes to get through processes like this, and then find the patience and energy to share.
__________________
The more you learn, the more you realize how little you know .... |
|
||||
Quote:
But I suppose wife (despite fiat) has its advantages too. Thanks, /S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. |
|
|||
I presume that jggimi reads the source-changes mailing list, either daily or weekly/monthly bulk digests.
http://www.openbsd.org/mail.html http://marc.info/?l=openbsd-cvs Another possibility is that he follows the 'current' FAQ, which is something people should look at occasionally.. always good to prepare for the future. http://www.openbsd.org/faq/current.html As you can see, 4.7 will introduce changes to pf that break traditional 'rdr' and 'nat' pseudo-translation-actions entirely. Man pages are also a good idea, the new match action is documented in pf.conf(5). Beware of outdated books, the developers never promised backwards compatibility.. use the PF FAQ instead. |
|
||||
I follow misc@, ports@, tech@, the OpenBSD Journal, and the Following -current FAQ.
(tech@ is interesting to read, but I have rarely posted there. As Michael Lucas wrote in Absolute OpenBSD, if your post doesn't include a patch, tech@ is the wrong list for it.) I also read cvs logs. I get the daily source and ports change CVS summaries, but rarely read them, and should probably cancel my subscriptions. I also read slashdot, and then poke around in the source code or CVS logs if something interesting appears there about a subsystem. Case in point: on the day this week that slashdotters went nuts over SSL's latest MITM exploit, and all of the concerns about which distribution of Linux which patch available when, and which distributions might not have one for a while .... I checked the logs and noted the fix was already in -current, and the log mentioned a workup in progress for -stable. |
|
|||
Thank you both for your replies, there was 2 there that I did not have on my list
__________________
The more you learn, the more you realize how little you know .... |
|
|