Handbook PF tutorial

wblock@

wblock@

Developer
Peter Hansteen, author of the famous Book of PF, mentioned to me at BSDCan 2012 that he had submitted a patch to add a PF tutorial to the Handbook. Somehow, it was overlooked and had not made it into the Handbook. I took the original patch and edited it to work with the current version of the Handbook. At BSDCan 2013, we met again and finished up the work, and I committed it today:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html#pf-tutorial

My thanks to Mr. Hansteen for his patience and help, and also to the FreeBSD Foundation which made this work possible.
 
The second simple example ("Tighter and More Elegant") includes
Code: 
udp_services = "{ domain }"
pass proto udp to any port $udp_services keep state

which would allow also incoming DNS traffic via UDP. Since the rest of the example only allows outgoing traffic (i.e. traffic initiated from the inside), shouldn't this be written as

Code: 
udp_services = "{ domain }"
pass [B]out[/B] proto udp to any port $udp_services keep state
? This would nicely demonstrate again PF's ability to keep state for stateless UDP connections.
 
I didn't read the updated chapter yet but it looks like you're correct, without the out directive the first rule would also allow incoming DNS traffic on any interface.
 
Reply from Peter Hansteen:
The poster is right, the pass out variant would let return traffic back in, assuming the traffic originated on the host running PF or originates somewhere that matches a pass in rule elsewhere in the rule set. But if tightening is the main point I would suggest something along the lines of

Code: 
pass proto udp from $clients to port $udp_services keep state

where the clients macro expands to all hosts under your control that have any reason to request name service. out is useful, but likely to confuse learners in this context, I think.
Click to expand...
 
Tangent:

In 2013, is there any reason a default firewall is not included in the installer? Something along the lines of:
31.4.6.1. The Simplest Rule Set Ever
Click to expand...
?

Yes, some people prefer ipfw or ipf over pf, but surely it's about time that a simple "block anything incoming not explicitly allowed, and not requested" policy is enabled by default?

Those who need more than that to run servers should know what they're doing, those who don't need anything more complicated (i.e., desktop users) can just run with the defaults.
 
throAU said:
Tangent:

In 2013, is there any reason a default firewall is not included in the installer? Something along the lines of:
Click to expand...

Well, there are several simple configurations available using /etc/rc.firewall (using ipfw).

I don't remember exactly how and if it still works. Something like:
Code: 
/etc/rc.conf
firewall_enabled="YES"
firewall_type="workstation" (see /etc/rc.firewall)

Regards.
 
FreeBSD gives you lots choices but does not force anything on you, that's why there's no firewall enabled by default.

If you take a completely minimal installation with nothing in rc.conf(5) other than the initial configuration done by the installer with no services enabled it's easy to argue that a firewall does not improve the security of that system in any way.
 
Available != secure out of the box.

I am aware of there being example firewalls, but really, in 2013 it should (at least) IMHO be a prominent tickbox in the installer:
Code: 
[X] Enable firewall:  Block all unsolicited incoming traffic, for customization see /etc/rc.firewall

Or whatever.

People are lazy. New people to FreeBSD are (potentially) completely unfamiliar with setting up a firewall in FreeBSD, and until they learn, having them both (relatively) secure out of the box and informed of where to tweak if required can only be a good thing?

rlogin and telnet were the default remote access programs many years ago, and this changed due to security best practice moving on.
 
You must log in or register to reply here.
Back
Top