PF firewall rules and documentation

Da Rock freebsd-questions at herveybayaustralia.com.au
Mon Jan 31 11:01:51 UTC 2011 

On 01/31/11 20:30, Patrick Lamaiziere wrote:
> Le Sat, 29 Jan 2011 12:39:18 +1000,
> Da Rock<freebsd-questions at herveybayaustralia.com.au>  a écrit :
>
>    
>> I spent some time playing with pf and pf.conf, and followed the
>> directions in the handbook. It redirected me to the openbsd site for
>> pf.conf, and recommended it as the most comprehensive documentation
>> for pf.
>>
>> Firstly, I didn't find that. I had to translate the instructions into
>> the current version used in FreeBSD, OpenBSD appears to be further
>> advanced than this based on the current docs.
>>      
> Yes, you should refer to the OpenBSD 4.1 Packet FAQ :
> http://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq41.pdf
>
>    
>> Secondly, some of the rules don't appear to be following. From my
>> understanding based on the documentation in the handbook and on the
>> site pf is default allowing traffic.
>>      
> According to a current discussion on misc at openbsd.org. It allows
> traffic to pass but without creating states.
>    
Exactly. 'permitting' is the term in the handbook I believe.
>    
>> So explicit rules to block
>> should be set first and then rules set to allow what is needed in.
>> Some assumptions are made in the rules by the interpreter, so
>> according to OpenBSD one can (even in the older versions) simply
>> state block and it is interpreted as 'block on $interfaces all'. This
>> turned out to not be the case.
>>      
> Ah? Do have an example for this?
>    
Yes. Me unfortunately, but I did manage to pick it up quite quickly 
though. I had a little thief attack one of my ports and attempt login on 
the firewall. I had to change it to 'block in $log on $ext_if all
block out $log on $ext_if all' to actually block the traffic. Bit of a 
doozy really, I'm still monitoring the traffic very closely with tcpdump 
on the interface and not the log.

Thankfully I was also getting ready to update and completely rebuild 
most (scratch that- all) of my systems to newer and more manageable levels.
>
>    
>> I know this has come up before, but I think it might be time to
>> document pf.conf properly. It seems to be a bit of security risk not
>> to. Users may be mistaken in their belief of their security on the
>> network using pf, and may be less likely to trust again when it
>> breaks.
>>      
> This is true, many things are now more precise in the manual page of
> OpenBSD's PF. But it will be hard to merge only these precisions in our
> pf.conf manual page.
>
> There are some plans to update PF to a more recent version. So may
> be it will be better.
>    
Actually, that sounds like a better idea than mine ;) Kills 2 birds with 
one stone then...

More information about the freebsd-questions mailing list