pf in FreeBSD 8.0-RCx
Hello All, There seems to be an issue with pf (at startup/boot time) where I get an error message about no IP address being associated with an interface. The only way I can get pf to load the rule set is to load it at the command line by using pfctl -f /etc/pf.conf. I have tried changing the startup order of pf so that it loads after all of the networking interfaces are brought up (including running the ppp daemon first to establish tun0) to no avail. I saw on the list that others have been experiencing a similar issue. Obviously, I would like to have a fix for this because if I have to reboot my box from a distant location, I am left with a wide open machine until I can login and reload the pf ruleset. What changed with pf since 7.2? Thanks, Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Big problems with PF on freeBSD 6.2
Tim T Bos wrote: Hi Erik, I used a GENERIC kernel as well as a custom kernel. Both have the same behavior. I even tried a default install without any extra boot options. ON FreeBSD 5.5 i didn't have this problem. I'm going to try to log all actions. I must do something seriously wrong. I think it is probably just a typo that you've got blind to. I suggest you stick with the GENERIC kernel until you have things figured out, that way we all know what you're talking about. There should be no loading of pf related modules in your loader.conf, in rc.conf you should have: # Packet Filter pf_enable=YES pf_rules=/etc/pf.conf pflog_enable=YES pflog_logfile=/var/log/pflog You should not have any of the firewall_ options set, these applies to ipfw. Then make a simple rule set: # Default action (this rule will never match) block log all # Your pass rules goes here # Catch up anything that falls through here: block log quick all The last rule is obviously not needed, but I like to have it just in case there is something I missed. Do # tcpdump -n -e -ttt -i pflog0 To watch live what happens (make sure that pflog is up and running). Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature
Big problems with PF on freeBSD 6.2
Hi Guys, I have a problem with PF. Normally when I load pf.ko it uses deny all as default. But if i compile it in the kernel or load it as a module both it won't work. If a have only one rule block all or block all on ext_if I can still go on the internet and if I portscan my computer i get most ports closed and some by my isp filtered ports (137 139 and some onher MS ports). I tried a clean install of freebsd 6.2 with the latest stable source ass well. I have this problem since i chanced from ISP. Can you please help me out because i love to use my BSD box again... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Big problems with PF on freeBSD 6.2
Tim T Bos wrote: Hi Guys, I have a problem with PF. Normally when I load pf.ko it uses deny all as default. But if i compile it in the kernel or load it as a module both it won't work. If a have only one rule block all or block all on ext_if I can still go on the internet and if I portscan my computer i get most ports closed and some by my isp filtered ports (137 139 and some onher MS ports). I tried a clean install of freebsd 6.2 with the latest stable source ass well. you mean as well :) Do you use a GENERIC kernel? If you have a custom kernel or try to set special options for pf post those options. Also, post any boot options that toggle pf behaviour. The default behaviour of pf is pass all, I don't remember if there is a boot option or similar to change this. But anyway, I think it is better to go with the default and set your desired default action explicitly as the first rule in your rule set. Try a GENERIC kernel and see if packets are blocked correctly by a block log all rule. In any case, you should add log to your rules for debugging, so you can see if ruleset is matched and where packets are blocked or passed. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature
Re: Big problems with PF on freeBSD 6.2
Hi Erik, I used a GENERIC kernel as well as a custom kernel. Both have the same behavior. I even tried a default install without any extra boot options. ON FreeBSD 5.5 i didn't have this problem. I'm going to try to log all actions. I must do something seriously wrong. Thanks anyway Erik Norgaard wrote: Tim T Bos wrote: Hi Guys, I have a problem with PF. Normally when I load pf.ko it uses deny all as default. But if i compile it in the kernel or load it as a module both it won't work. If a have only one rule block all or block all on ext_if I can still go on the internet and if I portscan my computer i get most ports closed and some by my isp filtered ports (137 139 and some onher MS ports). I tried a clean install of freebsd 6.2 with the latest stable source ass well. you mean as well :) Do you use a GENERIC kernel? If you have a custom kernel or try to set special options for pf post those options. Also, post any boot options that toggle pf behaviour. The default behaviour of pf is pass all, I don't remember if there is a boot option or similar to change this. But anyway, I think it is better to go with the default and set your desired default action explicitly as the first rule in your rule set. Try a GENERIC kernel and see if packets are blocked correctly by a block log all rule. In any case, you should add log to your rules for debugging, so you can see if ruleset is matched and where packets are blocked or passed. Cheers, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pf on freebsd 6.1 on DMZ in m0n0wall question
hi to all, i recently installed and configured (postfix+dovecot+amavisd-new+clamav+dspam+roundcubemail) in my freebsd 6.1box, i placed the box in my dmz protected by m0n0wall, however i have no firewall on the mentioned box and i'm relying on m0n0wall to protect it. is that ok? i'm new to freebsd and read about pf and i'm having some thoughts of installing pf as firewall in my webmailserver but i'm afraid to mess things up especially now that the box is already a production server, do i really need to install a separate firewall? is it an overkill? if not then anybody kind enough to lend a working pf configuration that allows http, smtp and ssh, i've read the handbook but don't understand it much particularly the firewall thing. TIA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf on freebsd 6.1 on DMZ in m0n0wall question
On Sat, Jul 01, 2006 at 11:46:42PM +0800, jan gestre wrote: i recently installed and configured (postfix+dovecot+amavisd-new+clamav+dspam+roundcubemail) in my freebsd 6.1box, i placed the box in my dmz protected by m0n0wall, however i have no firewall on the mentioned box and i'm relying on m0n0wall to protect it. is that ok? i'm new to freebsd and read about pf and i'm having some thoughts of installing pf as firewall in my webmailserver but i'm afraid to mess things up especially now that the box is already a production server, do i really need to install a separate firewall? is it an overkill? if not then anybody kind enough to lend a working pf configuration that allows http, smtp and ssh, i've read the handbook but don't understand it much particularly the firewall thing. I think you're right not to try this out on your production box. Pf is nice, and I encourage you to use it, but *please* find a test machine! Pf works well and it's pretty easy to learn, but you almost certainly will make mistakes in the beginning. In addition to the fine Handbook, there's a nice pf faq at www.openbsd.org/faq/pf/ that explains a lot and has a few ruleset examples. If you learn your way on a test box it'll be a snap to put it in production... -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
A possibly simple query about pf on FreeBSD 5.3-RELEASE
After nearly a week of fighting the dual problem of OpenBSD 3.6 release freezing on my hardware, and some rather odious personalities on the [EMAIL PROTECTED] mailing list, I decided to install FreeBSD 5.3-RELEASE on the web server I am deploying and stick to it. I went through the webpage on firewalling on FreeBSD (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html) and decided to pick pf as my firewall solution. The OpenBSD guide on this simply and elegantly written and is very easy to get the hang of. I have created a packet filtering ruleset in /etc/pf.conf, enabled the switches in /etc/rc.conf and am fiddling around with it. I tried to connect on port ssh (22, I think) and did a few tests with different IP addresses and it works as I expect. Since this beast is going to be a webserver, I wrote the following filter for port www : (previously blocking all and scrubbing all of course) pass in on $ext_if proto tcp from any to $ext_if \ port www flags S/SA keep state \ (max 200,source-track rule,max-src-nodes 100,max-src-states 3) Question : Is the above a reasonably good rule for my situation (if you have further questions, fire away) ? Second, whenever I load my rule set (pfctl -f /etc/pf.conf), I get a warning : No ALTQ support in kernel ALTQ related functions disabled Now, I would probably want to use queueing and bandwidth allotment if I am to run a webserver that allows a few IP addresses to connect via ssh. Question : How do I enable ALTQ support in the kernel ? And since I have the choice of either using a loadable module for pf (like I am doing) or compiling in PF support into the kernel, which is better from a security and performance pov ? Another issue, unrelated to pf : I am trying to install plone, zope (and a bunch of zope/plone related packages) and apache on the machine. However, the pkg_add process quit with some errors for some of the packages and refered me to some log (which log ?) during installation. Question : Are versions in the ports tree for these packages kosher, i.e., do they compile, install and work cleanly ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: A possibly simple query about pf on FreeBSD 5.3-RELEASE
On Tuesday 01 March 2005 10:44 am, Madhusudan Singh wrote: After nearly a week of fighting the dual problem of OpenBSD 3.6 release freezing on my hardware, and some rather odious personalities on the [EMAIL PROTECTED] mailing list, I decided to install FreeBSD 5.3-RELEASE on the web server I am deploying and stick to it. I went through the webpage on firewalling on FreeBSD (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls- pf.html) and decided to pick pf as my firewall solution. The OpenBSD guide on this simply and elegantly written and is very easy to get the hang of. I have created a packet filtering ruleset in /etc/pf.conf, enabled the switches in /etc/rc.conf and am fiddling around with it. I tried to connect on port ssh (22, I think) and did a few tests with different IP addresses and it works as I expect. Since this beast is going to be a webserver, I wrote the following filter for port www : (previously blocking all and scrubbing all of course) pass in on $ext_if proto tcp from any to $ext_if \ port www flags S/SA keep state \ (max 200,source-track rule,max-src-nodes 100,max-src-states 3) Question : Is the above a reasonably good rule for my situation (if you have further questions, fire away) ? Second, whenever I load my rule set (pfctl -f /etc/pf.conf), I get a warning : No ALTQ support in kernel ALTQ related functions disabled Now, I would probably want to use queueing and bandwidth allotment if I am to run a webserver that allows a few IP addresses to connect via ssh. Question : How do I enable ALTQ support in the kernel ? And since I have the Add the following line to your kernel configuration file and compile/install a new kernel. options ALTQ For instructions regarding kernel configuration/installation, see Chapter 8 of the online manual: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html choice of either using a loadable module for pf (like I am doing) or compiling in PF support into the kernel, which is better from a security and performance pov ? pf is compiled into the GENERIC kernel by default in FreeBSD 5.3. Another issue, unrelated to pf : I am trying to install plone, zope (and a bunch of zope/plone related packages) and apache on the machine. However, the pkg_add process quit with some errors for some of the packages and refered me to some log (which log ?) during installation. Question : Are versions in the ports tree for these packages kosher, i.e., do they compile, install and work cleanly ? Best of luck, Andrew Gould ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
On Tuesday 28 September 2004 07:33 am, shane mullins wrote: reformatted to correct top-posting - Original Message - hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane Why not...? One reason might be that he is not a masochist. Jay ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
On Sat, 2 Oct 2004 15:45:07 -0500, Jay Moore [EMAIL PROTECTED] wrote: On Tuesday 28 September 2004 07:33 am, shane mullins wrote: reformatted to correct top-posting - Original Message - hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane Why not...? One reason might be that he is not a masochist. Jay ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] I hate to say this because I bear no hostility towards openBSD, but there are many reasons to opt for freebsd. I know I did when I just built a firewall. My reason was multiprocessor support. While FreeBSD on SMP is gorgeous and intricate, under oBSD, it is non-existant until next version. Further, I am more used to FreeBSD and adminning OS's that you are less used to is generally a bad idea when setting up machines. The hardware support for FreeBSD is also decidedly more vast than that of oBSD and the performance of fBSD generally faster. -- If I write a signature, my emails will appear more personalised. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
On Sep 28, 2004, at 8:33 AM, shane mullins wrote: Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. I can tell you in my case OpenBSD doesn't provide drivers for the hardware I have. -- Michael Conlen [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
Switching OSes is not a choice. Now i done it !!! It seems that pf was allready installed with the base system, although i can't seem to find the installed binaries. I issued a pkg_delete to remove the old pf and than reinstall pf from sources with ALTQ. Now it works smoothly ... and I am a happy man. Though I still wondering why the installed pf wasn't working Cristi Michael E.Conlen wrote: On Sep 28, 2004, at 8:33 AM, shane mullins wrote: Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. I can tell you in my case OpenBSD doesn't provide drivers for the hardware I have. -- Michael Conlen [EMAIL PROTECTED] --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pf for FreeBSD
hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ Cristi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf for FreeBSD
Hi, hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ I'm using pf without a problem. Not sure what exact version of FreeBSD 5.x you're using. According to /usr/src/UPDATING Since 08-Mar-2004 pf has been part of the base system and doesn't require the pf port to be installed. So, a way forward could be to ensure you've updated to latest 5.x version (cvs tag RELENG_5). Then I suggest you read /usr/src/UPDATING as it also contains some info on the pf groups users required. I have the following devices in my kernel: device PFIL_HOOKS device pf device pflog I have the following in /etc/rc.conf: pf_enable=YES pflog_enable=YES pf_rules=Path to rules You will also need the authpf group and the _pflogd user group. You can get the details by downloading the latest source and checking the passwd group files under /usr/src/etc. in /etc/passwd: _pflogd:*:64:64:pflogd privesp user:/var/empty:/usr/sbin/nologin in /etc/group: authpf:*:63: _pflogd:*:64: I will leave it to you on how you generate a ruleset. Personally I use fwbuilder.org . Thanks, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf for FreeBSD
Hello, i'm using 5.2.1 and i want to recompile pf to take advantage of ALTQ. This was the reason for reinstalling. What about that prefix in startup script ... this is were i have no clues ... what's the path ... And another thing ... if i want to install pf now it says that is allready installed ... strange ... because i can't find it now, not the binaries nor the modules . Cristi Hi, hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ I'm using pf without a problem. Not sure what exact version of FreeBSD 5.x you're using. According to /usr/src/UPDATING Since 08-Mar-2004 pf has been part of the base system and doesn't require the pf port to be installed. So, a way forward could be to ensure you've updated to latest 5.x version (cvs tag RELENG_5). Then I suggest you read /usr/src/UPDATING as it also contains some info on the pf groups users required. I have the following devices in my kernel: devicePFIL_HOOKS devicepf devicepflog I have the following in /etc/rc.conf: pf_enable=YES pflog_enable=YES pf_rules=Path to rules You will also need the authpf group and the _pflogd user group. You can get the details by downloading the latest source and checking the passwd group files under /usr/src/etc. in /etc/passwd: _pflogd:*:64:64:pflogd privesp user:/var/empty:/usr/sbin/nologin in /etc/group: authpf:*:63: _pflogd:*:64: I will leave it to you on how you generate a ruleset. Personally I use fwbuilder.org . Thanks, Phil. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf for FreeBSD
Hi, I'm not sure of the dates of when 5.2.1 was released to tell you for sure whether pf is available in the kernel or not. I only started using 5.x when 5.3-Beta was released and pf has always been available in kernel for me. Never used the port. To check if pf is installed/available you could try the command line via which pf is configured i.e. # pfctl -sa (i.e. show all currently configured options for pf). To check if its available in the base system you could try configuring a kernel with the devices in my previous email and see if they're accepted. Thanks, Phil. -Original Message- From: Cristi Tauber [mailto:[EMAIL PROTECTED] Sent: 28 September 2004 11:19 To: Philip Payne Cc: FreeBSD Question Subject: RE: pf for FreeBSD Hello, i'm using 5.2.1 and i want to recompile pf to take advantage of ALTQ. This was the reason for reinstalling. What about that prefix in startup script ... this is were i have no clues ... what's the path ... And another thing ... if i want to install pf now it says that is allready installed ... strange ... because i can't find it now, not the binaries nor the modules . Cristi Hi, hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ I'm using pf without a problem. Not sure what exact version of FreeBSD 5.x you're using. According to /usr/src/UPDATING Since 08-Mar-2004 pf has been part of the base system and doesn't require the pf port to be installed. So, a way forward could be to ensure you've updated to latest 5.x version (cvs tag RELENG_5). Then I suggest you read /usr/src/UPDATING as it also contains some info on the pf groups users required. I have the following devices in my kernel: device PFIL_HOOKS device pf device pflog I have the following in /etc/rc.conf: pf_enable=YES pflog_enable=YES pf_rules=Path to rules You will also need the authpf group and the _pflogd user group. You can get the details by downloading the latest source and checking the passwd group files under /usr/src/etc. in /etc/passwd: _pflogd:*:64:64:pflogd privesp user:/var/empty:/usr/sbin/nologin in /etc/group: authpf:*:63: _pflogd:*:64: I will leave it to you on how you generate a ruleset. Personally I use fwbuilder.org . Thanks, Phil. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane - Original Message - From: Cristi Tauber [EMAIL PROTECTED] To: FreeBSD Question [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 12:54 AM Subject: pf for FreeBSD hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ Cristi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
Hello, it crossed my mind to run openBSD but i have to reinstall the server and the applications (mysql, qmail,etc ...) and besides that ... i know that openbsd can't take advantage of SMP servers. I don't know if newer versions 'see' SMP but an older (i don't precisely know the version but it was the lastest i got in january this year) one i was trying to setup can't ! Cristi Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane - Original Message - From: Cristi Tauber [EMAIL PROTECTED] To: FreeBSD Question [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 12:54 AM Subject: pf for FreeBSD hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ Cristi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. --- This message and its contents have been scanned and certified for transmission as being free from malicious code by eTrust Antivirus. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf for FreeBSD
The fact you only have to maintain one OS is one great advantage. One ports tree, one system to patch for security updates. The learning curve to use FreeBSD's pf is negligible imo. As long as kernel support is compiled in for it, and you have the users in your /etc/passwd it just works. Least for me as I have been using it since it was introduced as a kernel kld, and sometime shortly after it became a native module to freebsd. Its imo easier to maintain that say ipfw, as well as faster. -Original Message- From: shane mullins [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 2:34 PM To: Cristi Tauber Cc: [EMAIL PROTECTED] Subject: Re: pf for FreeBSD Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane - Original Message - From: Cristi Tauber [EMAIL PROTECTED] To: FreeBSD Question [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 12:54 AM Subject: pf for FreeBSD hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ Cristi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: pf for FreeBSD
IMHO its not very hard in FreeBSD 5.3 either now its in the base. The only additional step to what you describe below is adding the kernel options building/installing the kernel to include them, which is only 2 commands. However, some of the log analysis ports I've tried (fwanalog... another the name of which slips my mind, damn) do not work with the FreeBSD implementation of tcpdump :-( I suppose, with OpenBSD's complete focus on security if I was building a dedicated firewall I would very probably select OpenBSD. Depends what other things Cristi is using FreeBSD for. Phil. -Original Message- From: shane mullins [mailto:[EMAIL PROTECTED] Sent: 28 September 2004 13:34 To: Cristi Tauber Cc: [EMAIL PROTECTED] Subject: Re: pf for FreeBSD Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane - Original Message - From: Cristi Tauber [EMAIL PROTECTED] To: FreeBSD Question [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 12:54 AM Subject: pf for FreeBSD hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ Cristi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
[OT] Re: pf for FreeBSD
Hi Cristi, it crossed my mind to run openBSD but i have to reinstall the server and the applications (mysql, qmail,etc ...) and besides that ... i know that openbsd can't take advantage of SMP servers. I don't know if newer versions 'see' SMP but an older (i don't precisely know the version but it was the lastest i got in january this year) one i was trying to setup can't ! http://www.openbsd.org/36.html#new 3.6 is in CVS and will be released November 1. I believe that if you hurry and install a snapshot from September 17 or before, you'll be able to jump to 3.6. Don't take my word for it, though. Bye... Nico ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pf for FreeBSD
On Tue, 28 Sep 2004 09:54:18 +0200 Cristi Tauber [EMAIL PROTECTED] wrote: hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with Does the prefix by chance refer to the full path to the script (i.e. /usr/local/etc/rc.d/pf.sh)? Read the comments in the script; it will tell you what you need to do to /etc/rc.conf to get things started on bootup. make WITH_ALTQ=yes make install I've been running pf on two separate FBSD 5.2.1 boxes for weeks without adding this switch. Only thing that doesn't work that great is spamd logging but otherwise I prefer pf over ipf and ipfw any day -- even on a ported OS... Cheers, EB ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]