/etc/pf.conf missing
Daniel Corbe
corbe at corbe.net
Mon Feb 9 19:20:44 UTC 2015
Lowell Gilbert <freebsd-questions-local at be-well.ilk.org> writes:
> Chris Stankevitz <chrisstankevitz at gmail.com> writes:
>
>> Q: Should I be alarmed?
>>
>> Handbook section 30.3.1 says "The default ruleset is already created
>> and is named /etc/pf.conf" but that file does not exist on my hard
>> drive.
>
> The Handbook (or at least the obvious interpretation of what it says;
> the awkward phrasing may mean that it was mis-edited at some point) is
> incorrect.
>
> I'm not sure that a one-size-fits-all default ruleset (of the sort that
> exists for ipfw) is practical for pf.
>
>
The first time I ever messed with pf it was extremely difficult finding
practical examples. Maybe what the distribution needs is more of this
and less of a one-size-fits-all approach.
Teaching tools in the form of configuration examples is also a great way
to get people thinking about security issues. For example:
How do you get small offices and home users thinking about inbound
connectivity to their IPv6 endpoints now that NAT is no longer a thing?
And I know NAT is a terrible example of a security model; but generally
speaking, people are going to want NAT-like functionality in IPv6 where
you're only passing inbound traffic to inside hosts on established
connections.
IE:
# Default deny
block out inet6 all
block in inet6 all
# NAT-like behavior
pass out inet6 proto tcp flags S/SA keep state
pass out inet6 proto {udp, icmp6} flags S/SA modulate state
# Inbound rules go here
...
More information about the freebsd-questions
mailing list