Basic PF setup

I'm following the handbook here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/book.html#firewalls-pf

My /etc/pf.conf looks like this since "The simplest possible ruleset is for a single machine that does not run any services and which needs access to one network, which may be the Internet."
Code:
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
block in all
pass out all keep state
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from any to $ext_if keep state

In the terminal...
Code:
# service pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled

# service pflog start
Starting pflog.

# pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled

# pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled

Is it safe to ignore those ALTQ messages? And does my pf.conf look fine? Or is there a better/safer ruleset?

Thanks.
 
mj12net said:
Is it safe to ignore those ALTQ messages?
Yes, those are fine. ALTQ can only be enabled on a custom kernel. The messages would go away but they don't do any harm.


And does my pf.conf look fine? Or is there a better/safer ruleset?
Looks fine for a start. There are always ways to improve things ;)
 
Thanks for your replies.

And how do add a rule to allow CUPS (localhost:631). When PF is enabled it's not going through.
 
Add this rule, it's almost always a good idea unless you want to start playing with filtering on lo0 which is a very advanced concept:

Code:
set skip on lo0
 
kpa said:
Add this rule, it's almost always a good idea unless you want to start playing with filtering on lo0 which is a very advanced concept:

Code:
set skip on lo0

Worked, thank you!
 
Yes, there is certain order for options and rules. From pf.conf(5) manual page:

Code:
STATEMENT ORDER
     There are seven types of statements in pf.conf:

     Macros
           User-defined variables may be defined and used later, simplifying
           the configuration file.  Macros must be defined before they are
           referenced in pf.conf.

     Tables
           Tables provide a mechanism for increasing the performance and flex‐
           ibility of rules with large numbers of source or destination
           addresses.

     Options
           Options tune the behaviour of the packet filtering engine.

     Traffic Normalization (e.g. scrub)
           Traffic normalization protects internal machines against inconsis‐
           tencies in Internet protocols and implementations.

     Queueing
           Queueing provides rule-based bandwidth control.

     Translation (Various forms of NAT)
           Translation rules specify how addresses are to be mapped or redi‐
           rected to other addresses.

     Packet Filtering
           Packet filtering provides rule-based blocking or passing of pack‐
           ets.

The set skip rule is actually an option and should be placed before any scrub, queue, nat or filter rules. The scrub rules should come after the options but before any queue, nat or filter rules.
 
kpa said:
Yes, there is certain order for options and rules. From pf.conf(5) manual page:

Code:
STATEMENT ORDER
     There are seven types of statements in pf.conf:

     Macros
           User-defined variables may be defined and used later, simplifying
           the configuration file.  Macros must be defined before they are
           referenced in pf.conf.

     Tables
           Tables provide a mechanism for increasing the performance and flex‐
           ibility of rules with large numbers of source or destination
           addresses.

     Options
           Options tune the behaviour of the packet filtering engine.

     Traffic Normalization (e.g. scrub)
           Traffic normalization protects internal machines against inconsis‐
           tencies in Internet protocols and implementations.

     Queueing
           Queueing provides rule-based bandwidth control.

     Translation (Various forms of NAT)
           Translation rules specify how addresses are to be mapped or redi‐
           rected to other addresses.

     Packet Filtering
           Packet filtering provides rule-based blocking or passing of pack‐
           ets.

The set skip rule is actually an option and should be placed before any scrub, queue, nat or filter rules. The scrub rules should come after the options but before any queue, nat or filter rules.

So mine should look like:

Code:
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
set skip on lo0
block in all
pass out all keep state

Before the "block in all"?
 
Yes. Put the scrub rule in too:


Code:
#tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
#udp_services = "{ domain }"

set skip on lo0

scrub in all

block in all
pass out all

These rules are not making use of the two macros that are defined (tcp_services and udp_services) so you can comment them out until you really start using them. Also keep state is always on by default unless you explicitly set no state in a rule so that can be left out.
 
kpa said:
Yes. Put the scrub rule in too:


Code:
#tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
#udp_services = "{ domain }"

set skip on lo0

scrub in all

block in all
pass out all

These rules are not making use of the two macros that are defined (tcp_services and udp_services) so you can comment them out until you really start using them. Also keep state is always on by default unless you explicitly set no state in a rule so that can be left out.

This worked, thanks.
 
Back
Top