PF What is the ideal PF config for a workstation?

[rmomota]

Hi!
I'm replacing ipfw for pf.
Is this a correct move? I mean is pf better in terms of security and performance than ipfw?

I had a simple ipfw setup for workstation setup with a SSH inbound rule only so I would like to setup pf.conf the same way.

I noticed that in most posts there are macros for ext_if and loopback_if and etc, interface specific rules set.
I would like to have interface generic pf.conf setup in order to keep the same rules despite I'm using ethernet or wifi.

Is there any recommended base pf.conf where I can start my customization?

Thank you.

 

[xibo]

I mean is pf better in terms of security and performance than ipfw

Is there any performance or security issue you have with ipfw that you could think pf could be better at?

Is there any recommended base pf.conf where I can start my customization?

What do you want to do with your firewall?

I don't see much of a point in running a firewall at all on a workstation at all, unless you have a use case that _forces_ you to use a firewall, e.g. you want to deploy jails w/o being able to grab additional IP addresses in your local network.

 

[gotnull]

Is there any recommended base pf.conf where I can start my customization?

You can start with this one:

A FreeBSD 11 Desktop How-to

A guide to a full-featured modern desktop FreeBSD installation

cooltrainer.org

Actually the entire page contains useful information for a desktop usage on FreeBSD.

 

[rmomota]

Is there any performance or security issue you have with ipfw that you could think pf could be better at?


What do you want to do with your firewall?

I don't see much of a point in running a firewall at all on a workstation at all, unless you have a use case that _forces_ you to use a firewall, e.g. you want to deploy jails w/o being able to grab additional IP addresses in your local network.

no performance issues, I was just asking
yes I need to have pf for jails and podman (with linux enabled) not having so much success in this last one but that seems to be other story.
I'm trying to figure out if I can use a freebsd workstation to develop and test containers to later use in kubernetes.

 

[CeXP1917]

I had a simple ipfw setup for workstation setup with a SSH inbound rule only so I would like to setup pf.conf the same way.

Simple may looks like this:

set skip on lo

block in all
pass out quick all

pass in log proto tcp from any port 22

 

[rmomota]

You can start with this one:

A FreeBSD 11 Desktop How-to

A guide to a full-featured modern desktop FreeBSD installation

cooltrainer.org

Actually the entire page contains useful information for a desktop usage on FreeBSD.

Thank you!
This really helped a lot.

 

[gotnull]

You are welcome

If you need there are more advanced examples in /usr/share/examples/pf, desktop examples are missing but this one could fit in.

 

[CShell]

There is also a guide book on PF (really from OpenBSD but largely applies to FreeBSD PF as well) you can buy titled: The Book of PF. I own the 2nd edition.