Re: pf on freebsd 6.1 on DMZ in m0n0wall question
On Sat, Jul 01, 2006 at 11:46:42PM +0800, jan gestre wrote: i recently installed and configured (postfix+dovecot+amavisd-new+clamav+dspam+roundcubemail) in my freebsd 6.1box, i placed the box in my dmz protected by m0n0wall, however i have no firewall on the mentioned box and i'm relying on m0n0wall to protect it. is that ok? i'm new to freebsd and read about pf and i'm having some thoughts of installing pf as firewall in my webmailserver but i'm afraid to mess things up especially now that the box is already a production server, do i really need to install a separate firewall? is it an overkill? if not then anybody kind enough to lend a working pf configuration that allows http, smtp and ssh, i've read the handbook but don't understand it much particularly the firewall thing. I think you're right not to try this out on your production box. Pf is nice, and I encourage you to use it, but *please* find a test machine! Pf works well and it's pretty easy to learn, but you almost certainly will make mistakes in the beginning. In addition to the fine Handbook, there's a nice pf faq at www.openbsd.org/faq/pf/ that explains a lot and has a few ruleset examples. If you learn your way on a test box it'll be a snap to put it in production... -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
On Tuesday 28 September 2004 07:33 am, shane mullins wrote: reformatted to correct top-posting - Original Message - hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane Why not...? One reason might be that he is not a masochist. Jay ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
On Sat, 2 Oct 2004 15:45:07 -0500, Jay Moore [EMAIL PROTECTED] wrote: On Tuesday 28 September 2004 07:33 am, shane mullins wrote: reformatted to correct top-posting - Original Message - hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane Why not...? One reason might be that he is not a masochist. Jay ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] I hate to say this because I bear no hostility towards openBSD, but there are many reasons to opt for freebsd. I know I did when I just built a firewall. My reason was multiprocessor support. While FreeBSD on SMP is gorgeous and intricate, under oBSD, it is non-existant until next version. Further, I am more used to FreeBSD and adminning OS's that you are less used to is generally a bad idea when setting up machines. The hardware support for FreeBSD is also decidedly more vast than that of oBSD and the performance of fBSD generally faster. -- If I write a signature, my emails will appear more personalised. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
On Sep 28, 2004, at 8:33 AM, shane mullins wrote: Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. I can tell you in my case OpenBSD doesn't provide drivers for the hardware I have. -- Michael Conlen [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
Switching OSes is not a choice. Now i done it !!! It seems that pf was allready installed with the base system, although i can't seem to find the installed binaries. I issued a pkg_delete to remove the old pf and than reinstall pf from sources with ALTQ. Now it works smoothly ... and I am a happy man. Though I still wondering why the installed pf wasn't working Cristi Michael E.Conlen wrote: On Sep 28, 2004, at 8:33 AM, shane mullins wrote: Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. I can tell you in my case OpenBSD doesn't provide drivers for the hardware I have. -- Michael Conlen [EMAIL PROTECTED] --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf for FreeBSD
Hi, hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ I'm using pf without a problem. Not sure what exact version of FreeBSD 5.x you're using. According to /usr/src/UPDATING Since 08-Mar-2004 pf has been part of the base system and doesn't require the pf port to be installed. So, a way forward could be to ensure you've updated to latest 5.x version (cvs tag RELENG_5). Then I suggest you read /usr/src/UPDATING as it also contains some info on the pf groups users required. I have the following devices in my kernel: device PFIL_HOOKS device pf device pflog I have the following in /etc/rc.conf: pf_enable=YES pflog_enable=YES pf_rules=Path to rules You will also need the authpf group and the _pflogd user group. You can get the details by downloading the latest source and checking the passwd group files under /usr/src/etc. in /etc/passwd: _pflogd:*:64:64:pflogd privesp user:/var/empty:/usr/sbin/nologin in /etc/group: authpf:*:63: _pflogd:*:64: I will leave it to you on how you generate a ruleset. Personally I use fwbuilder.org . Thanks, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf for FreeBSD
Hello, i'm using 5.2.1 and i want to recompile pf to take advantage of ALTQ. This was the reason for reinstalling. What about that prefix in startup script ... this is were i have no clues ... what's the path ... And another thing ... if i want to install pf now it says that is allready installed ... strange ... because i can't find it now, not the binaries nor the modules . Cristi Hi, hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ I'm using pf without a problem. Not sure what exact version of FreeBSD 5.x you're using. According to /usr/src/UPDATING Since 08-Mar-2004 pf has been part of the base system and doesn't require the pf port to be installed. So, a way forward could be to ensure you've updated to latest 5.x version (cvs tag RELENG_5). Then I suggest you read /usr/src/UPDATING as it also contains some info on the pf groups users required. I have the following devices in my kernel: devicePFIL_HOOKS devicepf devicepflog I have the following in /etc/rc.conf: pf_enable=YES pflog_enable=YES pf_rules=Path to rules You will also need the authpf group and the _pflogd user group. You can get the details by downloading the latest source and checking the passwd group files under /usr/src/etc. in /etc/passwd: _pflogd:*:64:64:pflogd privesp user:/var/empty:/usr/sbin/nologin in /etc/group: authpf:*:63: _pflogd:*:64: I will leave it to you on how you generate a ruleset. Personally I use fwbuilder.org . Thanks, Phil. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf for FreeBSD
Hi, I'm not sure of the dates of when 5.2.1 was released to tell you for sure whether pf is available in the kernel or not. I only started using 5.x when 5.3-Beta was released and pf has always been available in kernel for me. Never used the port. To check if pf is installed/available you could try the command line via which pf is configured i.e. # pfctl -sa (i.e. show all currently configured options for pf). To check if its available in the base system you could try configuring a kernel with the devices in my previous email and see if they're accepted. Thanks, Phil. -Original Message- From: Cristi Tauber [mailto:[EMAIL PROTECTED] Sent: 28 September 2004 11:19 To: Philip Payne Cc: FreeBSD Question Subject: RE: pf for FreeBSD Hello, i'm using 5.2.1 and i want to recompile pf to take advantage of ALTQ. This was the reason for reinstalling. What about that prefix in startup script ... this is were i have no clues ... what's the path ... And another thing ... if i want to install pf now it says that is allready installed ... strange ... because i can't find it now, not the binaries nor the modules . Cristi Hi, hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ I'm using pf without a problem. Not sure what exact version of FreeBSD 5.x you're using. According to /usr/src/UPDATING Since 08-Mar-2004 pf has been part of the base system and doesn't require the pf port to be installed. So, a way forward could be to ensure you've updated to latest 5.x version (cvs tag RELENG_5). Then I suggest you read /usr/src/UPDATING as it also contains some info on the pf groups users required. I have the following devices in my kernel: device PFIL_HOOKS device pf device pflog I have the following in /etc/rc.conf: pf_enable=YES pflog_enable=YES pf_rules=Path to rules You will also need the authpf group and the _pflogd user group. You can get the details by downloading the latest source and checking the passwd group files under /usr/src/etc. in /etc/passwd: _pflogd:*:64:64:pflogd privesp user:/var/empty:/usr/sbin/nologin in /etc/group: authpf:*:63: _pflogd:*:64: I will leave it to you on how you generate a ruleset. Personally I use fwbuilder.org . Thanks, Phil. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane - Original Message - From: Cristi Tauber [EMAIL PROTECTED] To: FreeBSD Question [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 12:54 AM Subject: pf for FreeBSD hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ Cristi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
Hello, it crossed my mind to run openBSD but i have to reinstall the server and the applications (mysql, qmail,etc ...) and besides that ... i know that openbsd can't take advantage of SMP servers. I don't know if newer versions 'see' SMP but an older (i don't precisely know the version but it was the lastest i got in january this year) one i was trying to setup can't ! Cristi Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane - Original Message - From: Cristi Tauber [EMAIL PROTECTED] To: FreeBSD Question [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 12:54 AM Subject: pf for FreeBSD hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ Cristi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf for FreeBSD
The fact you only have to maintain one OS is one great advantage. One ports tree, one system to patch for security updates. The learning curve to use FreeBSD's pf is negligible imo. As long as kernel support is compiled in for it, and you have the users in your /etc/passwd it just works. Least for me as I have been using it since it was introduced as a kernel kld, and sometime shortly after it became a native module to freebsd. Its imo easier to maintain that say ipfw, as well as faster. -Original Message- From: shane mullins [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 2:34 PM To: Cristi Tauber Cc: [EMAIL PROTECTED] Subject: Re: pf for FreeBSD Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane - Original Message - From: Cristi Tauber [EMAIL PROTECTED] To: FreeBSD Question [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 12:54 AM Subject: pf for FreeBSD hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ Cristi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf for FreeBSD
IMHO its not very hard in FreeBSD 5.3 either now its in the base. The only additional step to what you describe below is adding the kernel options building/installing the kernel to include them, which is only 2 commands. However, some of the log analysis ports I've tried (fwanalog... another the name of which slips my mind, damn) do not work with the FreeBSD implementation of tcpdump :-( I suppose, with OpenBSD's complete focus on security if I was building a dedicated firewall I would very probably select OpenBSD. Depends what other things Cristi is using FreeBSD for. Phil. -Original Message- From: shane mullins [mailto:[EMAIL PROTECTED] Sent: 28 September 2004 13:34 To: Cristi Tauber Cc: [EMAIL PROTECTED] Subject: Re: pf for FreeBSD Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane - Original Message - From: Cristi Tauber [EMAIL PROTECTED] To: FreeBSD Question [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 12:54 AM Subject: pf for FreeBSD hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ Cristi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
[OT] Re: pf for FreeBSD
Hi Cristi, it crossed my mind to run openBSD but i have to reinstall the server and the applications (mysql, qmail,etc ...) and besides that ... i know that openbsd can't take advantage of SMP servers. I don't know if newer versions 'see' SMP but an older (i don't precisely know the version but it was the lastest i got in january this year) one i was trying to setup can't ! http://www.openbsd.org/36.html#new 3.6 is in CVS and will be released November 1. I believe that if you hurry and install a snapshot from September 17 or before, you'll be able to jump to 3.6. Don't take my word for it, though. Bye... Nico ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
On Tue, 28 Sep 2004 09:54:18 +0200 Cristi Tauber [EMAIL PROTECTED] wrote: hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with Does the prefix by chance refer to the full path to the script (i.e. /usr/local/etc/rc.d/pf.sh)? Read the comments in the script; it will tell you what you need to do to /etc/rc.conf to get things started on bootup. make WITH_ALTQ=yes make install I've been running pf on two separate FBSD 5.2.1 boxes for weeks without adding this switch. Only thing that doesn't work that great is spamd logging but otherwise I prefer pf over ipf and ipfw any day -- even on a ported OS... Cheers, EB ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]