Configuring PF

Pat Maddox pergesu at gmail.com
Thu Feb 17 02:18:19 GMT 2005 

I've managed to come up with something that works so far.  I am having
two problems though.

The first is that I can't authenticate for IMAP anymore.  No clue why,
it just keeps rejecting my password.  maillog shows imapd: LOGIN
FAILED, that's it.

Also, after enabling pf, all my UDP ports show as open.  I've got a ruleset of
block in log on $ext_if proto udp all

So all UDP ports should be shown as closed.  Doesn't really make any
sense to me.  Anyone care to help?

Thanks for the help so far.

Pat


On Wed, 16 Feb 2005 13:26:37 +0100, Volker Kindermann <ml at ps102.de> wrote:
> Hi Pat,
> 
> 
> > Is there any place I can find a good default ruleset for a server, and
> > just change what ports I want open?
> 
> pf originates at openbsd. There you'll find lots of documentation, the
> pf-faq, and the (as always in the BSD world) excellent manpages.
> 
> In addition there's the pf-repository at: https://solarflux.org/pf/
> 
> And there are some books which include examples.
> 
> 
> > Also, I've noticed that some rulesets will have different flags and
> > keep state on for certain TCP ports, but not others.  For example, at
> > https://www.section6.net/help/pf.php I found:
> > #WebServer, HTTPS, 8000
> > pass in on $extif proto tcp from any to any port 80 flags S/SA
> > pass in on $extif proto tcp from any to any port $tcp_services flags
> > S/SA synproxy state
> >
> > tcp_services is {22, 443}
> >
> > I don't understand why they use synproxy state for 22 and 443, but not 80
> 
> Because synproxy as a security feature has a drawback: speed. Do you
> understand what synproxy does? It completes the three-way-handshake at
> the firewall first and only if this succeds it forwards the connection
> to the (web)server. This takes some small amount of time.
> 
> Acceptable with protocolls like ssh and https but mostly unacceptable
> with http.
> 
>   -volker
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list