are these pf.conf settings correct ?

[daemonfowl]

Hi
This my first attempt to touch pf.conf .. if there is something foolish please don't be aggressive.
Following FAQ 6 , I have :
in hostname.wpi0 :

Code:

dhcp NONE NONE NONE

in hostname.bce0 :

Code:

up media 10base2

in hostname.bridge0 :

Code:

add wpi0
add bce0
up

* Are these settings correct to allow http ssh and ftp ?

Code:

pass in quick on bce0 all
pass out quick on bce0 all
block in  on wpi0 all
block out on wpi0 all

pass in quick on wpi0 proto tcp from any to any port {22, 80, 21} \
     flags S/SA keep state

* I'd like to allow amule too , how could I set pf.conf to tighten security while still be able to use the p2p client ?

Thank you very much !!

[daemonfowl]

Maybe I should pass udp as well , to allow dhcp ..

[ocicat]

Quote:

Originally Posted by daemonfowl

in hostname.bce0 :

Code:

up media 10base2

Coax?

[jggimi]

ocicat, that's from daemonfowl blindly copying and pasting from FAQ 6.9, without comprehension. Only NIC names were changed.

The bce(4) NIC and the bmtphy(4) PHY do not have 10Base2 Ethernet media adapters.

---

The PF configuration shown is identical to the FAQ's -- except for the addition of the FTP control port 21. There is no ftp-proxy, nor passing of a range of ports for data connections.

daemonfowl, FTP is a complex protocol; so complex it has its very own chapter in the PF User's Guide. What you have posted will not work for FTP.

[daemonfowl]

Quote:

ocicat, that's from daemonfowl blindly copying and pasting from FAQ 6.9, without comprehension. Only NIC names were changed.

That's right Teacher ! & I hope you're not shocked .. well it's really my 1st attempt to play ith pf :-)
I've changed that line .. 'up' is enough so it will use autoselect (defaults) .. but if you deem simplication is better I may do without the bridge.

There was a contribution by oko , an example of a working pf.conf that maybe I can elaborate on to meet my needs and my needs for a box are : http/ftp/ssh/ plus being able to use p2p (amule & bitorrent)
Here is oko's sample pf.conf :

Code:

ext_if="rl0"

tcp_services = "{ssh, imaps, smtp, 587, domain, ntp, www, https}"
udp_services= "{domain, ntp}"


set skip on lo
set loginterface $ext_if

scrub in all random-id fragment reassemble

block return in log all
block out all

antispoof quick for $ext_if


pass out quick on $ext_if proto tcp to any port $tcp_services
pass out quick on $ext_if proto udp to any port $udp_services

[jggimi]

Quote:

Originally Posted by daemonfowl

...an example of a working pf.conf that maybe I can elaborate ...

No. Do not copy and paste something you do not understand. Let me quote from another post of mine, from last year. I don't think you've seen it.

Quote:

Originally Posted by jggimi

...I am concerned by what I have seen in the pf.conf you have posted. It appears that you have copied and pasted a pf.conf file from some "how-to" you found on the Internet.... I am guessing that you did not realize [your error] because you copied and pasted from someone else's configuration file, and then hoped things would work for you. Let us quote from Peter Hansteen's The Book of PF:

Quote:

If you are unable to understand and explain a configuration change you are making, then you are doing something wrong.

[ocicat]

Quote:

Originally Posted by daemonfowl

I hope you're not shocked ..

Rather, disappointed.

daemonfowl, you will find in the OpenBSD community very little sympathy for those who simply cut-&-paste others work having little to no comprehension of what it does.

Quote:

There was a contribution by oko , an example of a working pf.conf that maybe I can elaborate on to meet my needs...

...& how do you know that it is a working pf.conf? With which version of OpenBSD? Have you confirmed functionality through use of tcpdump(8)?

[daemonfowl]

I agree that copy/paste is not the right way to learn
I see those examples as starting points for me to first *start* walking ..
at this moment I ned to set my still immature pf.conf to allow p2p ?
Do I have to first learn about p2p and tcp ip to start using pf.conf ??
OpenBSD is a shoreless sea as is Unix .. how can I use it to serve me this ? at this time ?
As to learning it is and must be a life process but every mortal has their own tempo/rhythm/ pace .. I believe myself to have the slowest .. and yet I'm not psychologically ( :-) ) ready to stop using a great OS just because it's hard for me .. that's it.
(There are lots of people -I'm sure- who are having the same -if not worse- issue but abstain from exposing it here or there :-) not to be ridiculed .. well only the shy and the boastful who wouldn't learn a thing )

[ocicat]

Quote:

Originally Posted by daemonfowl

I agree that copy/paste is not the right way to learn

Yet, we see evidence of it again & again with you...

Quote:

how can I use it to serve me this ?

Read. Study. Don't try to find shortcuts. Two places to begin are:

• The PF User's Guide.
• Hansteen's online manuscript. I know I have provided this link to you before.

[jggimi]

Quote:

Originally Posted by daemonfowl

at this moment I ned to set my still immature pf.conf to allow p2p ?

You would need to have a very clear understanding of the protocols and ports used by your p2p application, so that you can determine what exact traffic you wish to allow, and what traffic you wish to deny.

Quote:

Do I have to first learn about p2p and tcp ip to start using pf.conf ??

Yes. TCP/IP networking knowledge is an absolute requirement. PF's purpose is to manage network traffic. You must set the rules, based on your knowledge of that traffic. Your traffic will be unique. Copy/Paste/Hope is not a path to success.

[ocicat]

And for fans of dead trees, the following is the best book I have read on the general theory of TCP/IP:

http://www.amazon.com/Routing-TCP-Vo...rds=jeff+doyle

[jggimi]

Here is someone who "manages" what he does not understand. Do you want to be like him?



Do you truly wish to make network decisions in ignorance? You could harm more than your own systems. An improperly configured network is a network which may be open to attack, and could be used as a vector to launch attacks on other networks. You may not care about your own systems. But you should be a responsible Internet citizen and not -- through willful ignorance -- cause problems for others.

[ai-danno]

As a suggestion, you should annotate your pf.conf file with your own thoughts, understandings, and misgivings. Drill down on every line to understand WHY it is there. pf is there to guard your system, so if you can't vet your guards, how can you be sure they are guarding you?

One misgiving that is repeated in the OpenBSD community is that a great deal of software (generally speaking here) is written for feature and functionality first, and then has security added later. This is a terrible approach, and is one major reason why you don't see tons of new software in the OpenBSD system. Translate that into your use of the system itself (and in this case securing the system via pf), and you can see that it's better to be sure you are secure first, and then able to do all the fun stuff that you want to do.

If you contribute pf.conf files to others for review, having it well annotated can not only help them get 'up to speed' on your setup faster, but it can also show them that you are sure about certain things and not sure about others. Correcting a misunderstanding here (even if you were 'sure' about it) is a much more gracious event than correcting a 'cut-n-paste' situation.

Also, pf can be quite complex- asking a question here about a single function or line is not a bad thing at all (given proper context, of course), and may provide the ability to show the rest of the forum how a particular thing should be done in pf. It also tends to keep people focused .

[daemonfowl]

Quote:

Correcting a misunderstanding here (even if you were 'sure' about it) is a much more gracious event than correcting a 'cut-n-paste' situation.

Thank you so much ! I agree .. I had in mind starting first from -to my mind- a more generic working sample and start reshaping it to meet my needs .. just as when a kid leaning html is first given a basic skeleton then invited to better it .. It's not that I was looking for a ready-made pf.conf to be always used and/or for all boxes .. I still believe examples are vital for learning and not everyone is capable of putting theory into practice the first time ..