I tried using this pf.conf that I found:
http://www.whmcr.com/old-content/openbsd-freebsd-pfconf/
When I put this in /etc/pf.conf and this in my /etc/rc.conf:
home# cat /etc/rc.conf

# -- sysinstall generated deltas -- # Tue Jun 15 00:46:39 2010
# Created: Tue Jun 15 00:46:39 2010
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
hostname="home"
ifconfig_rl0="DHCP"
linux_enable="YES"
moused_enable="YES"
hald_enable="YES"
dbus_enable="YES"
gdm_enable="YES"
gnome_enable="YES"
pf_enable="YES"
pflog_enable="YES"

and run /etc/rc.d/pf start, it shows this:
home# /etc/rc.d/pf start
Enabling pf.
No ALTQ support in kernel
ALTQ related functions disabled
no IP address found for 80.xx.xx.xx/32
/etc/pf.conf:17: could not parse host specification
no IP address found for 80.xx.xx.xx/32
/etc/pf.conf:21: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded
No ALTQ support in kernel
ALTQ related functions disabled

What happened? Should it still work? What should I do? :beergrin

Does anyone know of a better pf.conf file that I can use?

What about this one, at the bottom of the page:
http://www.openbsd.org/faq/pf/example1.html
Please let me know if that's a good one. It seems like it should be. How would stealth the ports for this? I would like stealth.

If you put 80.xx.xx.xx/32 in your own pf.conf, literally, may I suggest you first read the PF FAQ before using a random pf.conf off the net? PF is way too serious for an uninformed cut & paste job.

I know, once I read the errors real carefully and looked more closely at the pf.conf file example that I had pasted I decided to go with my second post. It's from OpenBSD's website and it's an example for home or small office. I haven't read yet about how to make my own because I'm new to FreeBSD and have been reading about other things... it seems like it should be a good one, and I've been using it all day.

I need a pf.conf that is very secure and doesn't allow access to any ports and preferably stealths the ports. I don't have any reason to have anyone be able to access anything on my computer.

Here's a really simple one, it'll block all incoming traffic while allowing everything to go out.


myint="rl0"

block in log all

pass out on $myint from any to any keep state


You can see what's being blocked by capturing the traffic on pflog0:
tcpdump -ni pflog0

Would that stealth ports? If not, is there a very easy way to add it to the example? That's what I want, all blocked. Simple. I would appreciate being able to pass the Shields Up test.

pf.conf

set block-policy
The block-policy option sets the default behaviour for the packet
block action:

drop Packet is silently dropped.
return A TCP RST is returned for blocked TCP packets, an ICMP
UNREACHABLE is returned for blocked UDP packets, and all
other packets are silently dropped.

For example:

set block-policy return