Configuring PF
Volker Kindermann
ml at ps102.de
Wed Feb 16 12:26:11 GMT 2005
Hi Pat,
> Is there any place I can find a good default ruleset for a server, and
> just change what ports I want open?
pf originates at openbsd. There you'll find lots of documentation, the
pf-faq, and the (as always in the BSD world) excellent manpages.
In addition there's the pf-repository at: https://solarflux.org/pf/
And there are some books which include examples.
> Also, I've noticed that some rulesets will have different flags and
> keep state on for certain TCP ports, but not others. For example, at
> https://www.section6.net/help/pf.php I found:
> #WebServer, HTTPS, 8000
> pass in on $extif proto tcp from any to any port 80 flags S/SA
> pass in on $extif proto tcp from any to any port $tcp_services flags
> S/SA synproxy state
>
> tcp_services is {22, 443}
>
> I don't understand why they use synproxy state for 22 and 443, but not 80
Because synproxy as a security feature has a drawback: speed. Do you
understand what synproxy does? It completes the three-way-handshake at
the firewall first and only if this succeds it forwards the connection
to the (web)server. This takes some small amount of time.
Acceptable with protocolls like ssh and https but mostly unacceptable
with http.
-volker
More information about the freebsd-questions
mailing list