|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
are these pf.conf settings correct ?
Hi
This my first attempt to touch pf.conf .. if there is something foolish please don't be aggressive. Following FAQ 6 , I have : in hostname.wpi0 : Code:
dhcp NONE NONE NONE Code:
up media 10base2 Code:
add wpi0 add bce0 up Code:
pass in quick on bce0 all pass out quick on bce0 all block in on wpi0 all block out on wpi0 all pass in quick on wpi0 proto tcp from any to any port {22, 80, 21} \ flags S/SA keep state Thank you very much !! |
|
|||
Maybe I should pass udp as well , to allow dhcp ..
|
|
|||
|
|
|||
Quote:
I've changed that line .. 'up' is enough so it will use autoselect (defaults) .. but if you deem simplication is better I may do without the bridge. There was a contribution by oko , an example of a working pf.conf that maybe I can elaborate on to meet my needs and my needs for a box are : http/ftp/ssh/ plus being able to use p2p (amule & bitorrent) Here is oko's sample pf.conf : Code:
ext_if="rl0" tcp_services = "{ssh, imaps, smtp, 587, domain, ntp, www, https}" udp_services= "{domain, ntp}" set skip on lo set loginterface $ext_if scrub in all random-id fragment reassemble block return in log all block out all antispoof quick for $ext_if pass out quick on $ext_if proto tcp to any port $tcp_services pass out quick on $ext_if proto udp to any port $udp_services |
|
||||
Quote:
Quote:
|
|
|||
Rather, disappointed.
daemonfowl, you will find in the OpenBSD community very little sympathy for those who simply cut-&-paste others work having little to no comprehension of what it does. Quote:
|
|
|||
I agree that copy/paste is not the right way to learn
I see those examples as starting points for me to first *start* walking .. at this moment I ned to set my still immature pf.conf to allow p2p ? Do I have to first learn about p2p and tcp ip to start using pf.conf ?? OpenBSD is a shoreless sea as is Unix .. how can I use it to serve me this ? at this time ? As to learning it is and must be a life process but every mortal has their own tempo/rhythm/ pace .. I believe myself to have the slowest .. and yet I'm not psychologically ( :-) ) ready to stop using a great OS just because it's hard for me .. that's it. (There are lots of people -I'm sure- who are having the same -if not worse- issue but abstain from exposing it here or there :-) not to be ridiculed .. well only the shy and the boastful who wouldn't learn a thing ) |
|
|||
Yet, we see evidence of it again & again with you...
Quote:
|
|
||||
Quote:
Quote:
|
|
|||
And for fans of dead trees, the following is the best book I have read on the general theory of TCP/IP:
http://www.amazon.com/Routing-TCP-Vo...rds=jeff+doyle |
|
||||
Here is someone who "manages" what he does not understand. Do you want to be like him?
Do you truly wish to make network decisions in ignorance? You could harm more than your own systems. An improperly configured network is a network which may be open to attack, and could be used as a vector to launch attacks on other networks. You may not care about your own systems. But you should be a responsible Internet citizen and not -- through willful ignorance -- cause problems for others. |
|
||||
As a suggestion, you should annotate your pf.conf file with your own thoughts, understandings, and misgivings. Drill down on every line to understand WHY it is there. pf is there to guard your system, so if you can't vet your guards, how can you be sure they are guarding you?
One misgiving that is repeated in the OpenBSD community is that a great deal of software (generally speaking here) is written for feature and functionality first, and then has security added later. This is a terrible approach, and is one major reason why you don't see tons of new software in the OpenBSD system. Translate that into your use of the system itself (and in this case securing the system via pf), and you can see that it's better to be sure you are secure first, and then able to do all the fun stuff that you want to do. If you contribute pf.conf files to others for review, having it well annotated can not only help them get 'up to speed' on your setup faster, but it can also show them that you are sure about certain things and not sure about others. Correcting a misunderstanding here (even if you were 'sure' about it) is a much more gracious event than correcting a 'cut-n-paste' situation. Also, pf can be quite complex- asking a question here about a single function or line is not a bad thing at all (given proper context, of course), and may provide the ability to show the rest of the forum how a particular thing should be done in pf. It also tends to keep people focused .
__________________
Network Firefighter |
|
|||
Quote:
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
is this a correct attitude ? | daemonfowl | OpenBSD General | 6 | 28th March 2012 08:31 PM |
sysctl.conf settings not loading on boot | Kuboaa | FreeBSD General | 2 | 18th November 2010 08:35 AM |
Correct tag for ports & docs | vigol | FreeBSD Ports and Packages | 1 | 6th December 2009 02:06 PM |
Network settings | guitarscn | OpenBSD General | 13 | 18th February 2009 01:45 AM |
Problem loading (the correct) libX11.so.6 | phreud | FreeBSD General | 3 | 10th November 2008 11:13 AM |