Configuring PF

Pat Maddox pergesu at
Sun Feb 20 18:42:42 GMT 2005

On Sun, 20 Feb 2005 06:23:39 -0800, Loren M. Lang <lorenl at> wrote:
> On Mon, Feb 14, 2005 at 09:32:25PM -0700, Pat Maddox wrote:
> > I want to install a firewall on my system.  First of all, is PF the
> > one I should be using?  It seems to get the most recommendations.
> >
> > I don't actually seem to have any problems configuring it - I just
> > have some problems testing the configuration.  I can ssh to the box,
> > and I can access port 80...but I'd like to be able to just scan it to
> > quickly see what's up.  When PF is disabled, I can nmap it in about 9
> > seconds.  When I turn it on, it takes over 3 minutes to do.  These
> > machines are on the same network, so the connection is obviously fast.
> This is a good thing, IMHO.  Think about all those script kiddies
> sitting out there looking for a nice, juicy server to compromise.  If it
> takes them 3 minutes to port scan your machine, they'll probably cancel
> it before it's finished and move on.

That makes sense to me.  I'd still like to be able to scan it the
first time around to make sure everything's working, then I can just
set it to drop packets, so it takes longer.

I'd still like to find a good example config file that works well for
a web server.

> I believe what's happening is that all ports that aren't open are
> configured to drop packets instead of reject them like is default.
> Reject means send back an error message saying port is closed where
> dropping just ignores it.  The port scanner sends out a request and
> waits for a response, either "Hello," or "Sorry, I'm closed."  It will
> wait quite a while before it decides that nothings there.
> >
> > Are there any good, pretty simple guides on setting up PF?  I'm having
> > a tough time understanding what the rulesets all mean.
> > _______________________________________________
> > freebsd-questions at mailing list
> >
> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"
> --
> I sense much NT in you.
> NT leads to Bluescreen.
> Bluescreen leads to downtime.
> Downtime leads to suffering.
> NT is the path to the darkside.
> Powerful Unix is.
> Public Key:
> Fingerprint: B3B9 D669 69C9 09EC 1BCD  835A FAF3 7A46 E4A3 280C

More information about the freebsd-questions mailing list