I have to agree on all these points. PF is the absolute best firewall I've used on any platform. Not only is it the simplest to configure but it has superior logging facilities.
I'd much rather not have any ISP tell me what traffic I can or cannot receive. If you do that, say goodbye to open internet access or they'll do what other unnamed ISPs are currently doing *ahem*comast*ahem* and tell you how much data you can use, what mail ports are open - nevermind if you use any third party mail servers, what times of the day you get more bandwidth, etc. Learning how to setup your own security is beneficial for all anyway. On Thu, Feb 14, 2013 at 7:02 PM, Scott McEachern <sc...@blackstaff.ca>wrote: > On 02/14/13 18:20, Daniel Bertrand wrote: > >> I was wondering what your stance is about the constant hack attempts on >> machines on our ISP networks.. I see CONSTANT scanning for ports from all >> over the world, mostly from Italy, Russia, and China. >> > > Everyone does. You can find lists of IP ranges on a per-country basis on > the 'net and block specific countries if you wish. However, unless you're > running services open to the public (eg. web servers) there isn't much > point. (Even if you are, some would argue blocking by country is useless > anyway.) > > Every firewall/router product that I have purchased has been compromised >> so far. >> > > Yes, pf on OpenBSD kicks ass. pf ported to other OSes is always behind > the times, sometimes way behind. > > Is there really a secure, trustworthy adaptive filtering firewall >> configuration for each OS configuration out there? >> > > When you're connected to the Internet, it's all about TCP/IP, which is OS > agnostic. What matters are the services you want to be accessible. > > Most people who are on the net are completely oblivious and helpless when >> it comes to this constant trolling for access, they have no idea what to do >> to secure their machines. >> > > Most (but not all) home routers (DSL modems) filter automatically which > protects to some degree. From there, your mileage will vary. But you are > right that most people don't realize they are under constant attack. (Try > "block log all" to get the full picture.) > > Shaw has neglected me and left me for dead when I ask for better control >> and protection from malicious attackers. >> > > Like Ryan Freeman said on tech, "you want the isp selectively blocking > traffic for you? i don't.", you don't want your ISP filtering for you > because then what you receive is at _their_ discretion, not yours. > > Since you referred to Shaw, I take it you're in Canada? I haven't dealt > with Shaw, but I once tried Bell for a month or two a few years back and > they most certainly do port filtering. For example, I was unable to run my > own mail server because they blocked port 25/smtp. > > Your idea of "left for dead" is actually desirable if you want to control > your own connection. I left Bell and switched to Teksavvy because of it. > I didn't need Bell "looking out for my best interests", thank-you very > much. > > If you want to discuss this further about your specific setup, please > contact me privately. > > What do I do to make sure I don't spend money on new hardware but get a >> PF configuration that I can trust besides "block in all"? >> >> Are there published rulesets for Mac/Windows etc. that we can just drop >> into our pf.conf and /etc/pf.anchors/ directory? >> > > A firewall ruleset is unique to each site. You're going to have to build > your own by looking at the pf FAQ (http://www.openbsd.org/faq/** > pf/index.html <http://www.openbsd.org/faq/pf/index.html>) and looking at > examples. There is no "one size fits all". Your question is like asking "I > need a vehicle. What should I buy?" However, like beck@ said on tech, > "block all" is a good place to start. After that it depends entirely on > your _specific_ needs. > > -- > Scott McEachern > > https://www.blackstaff.ca
