A possibly simple query about pf on FreeBSD 5.3-RELEASE
Andrew L. Gould
algould at datawok.com
Tue Mar 1 17:24:48 GMT 2005
On Tuesday 01 March 2005 10:44 am, Madhusudan Singh wrote:
> After nearly a week of fighting the dual problem of OpenBSD 3.6
> release freezing on my hardware, and some rather odious personalities
> on the misc at openbsd mailing list, I decided to install FreeBSD
> 5.3-RELEASE on the web server I am deploying and stick to it.
> I went through the webpage on firewalling on FreeBSD
>pf.html) and decided to pick pf as my firewall solution. The OpenBSD
> guide on this simply and elegantly written and is very easy to get
> the hang of.
> I have created a packet filtering ruleset in /etc/pf.conf, enabled
> the switches in /etc/rc.conf and am fiddling around with it. I tried
> to connect on port ssh (22, I think) and did a few tests with
> different IP addresses and it works as I expect.
> Since this beast is going to be a webserver, I wrote the following
> filter for port www :
> (previously blocking all and scrubbing all of course)
> pass in on $ext_if proto tcp from any to $ext_if \
> port www flags S/SA keep state \
> (max 200,source-track rule,max-src-nodes 100,max-src-states 3)
> Question :
> Is the above a reasonably good rule for my situation (if you have
> further questions, fire away) ?
> Second, whenever I load my rule set (pfctl -f /etc/pf.conf), I get a
> warning :
> No ALTQ support in kernel
> ALTQ related functions disabled
> Now, I would probably want to use queueing and bandwidth allotment if
> I am to run a webserver that allows a few IP addresses to connect via
> Question :
> How do I enable ALTQ support in the kernel ? And since I have the
Add the following line to your kernel configuration file and
compile/install a new kernel.
For instructions regarding kernel configuration/installation, see
Chapter 8 of the online manual:
> choice of either using a loadable module for pf (like I am doing) or
> compiling in PF support into the kernel, which is better from a
> security and performance pov ?
pf is compiled into the GENERIC kernel by default in FreeBSD 5.3.
> Another issue, unrelated to pf :
> I am trying to install plone, zope (and a bunch of zope/plone related
> packages) and apache on the machine. However, the pkg_add process
> quit with some errors for some of the packages and refered me to some
> log (which log ?) during installation.
> Question :
> Are versions in the ports tree for these packages "kosher", i.e., do
> they compile, install and work cleanly ?
Best of luck,
More information about the freebsd-questions