Hi to everyone in SE-land... Some of you here are aware of (and contributing to) it already, but I've created a site completely dedicated to PF and related tools (ALTQ, pfstat, pftop, fwanalog, etc.)... The goal is to build a sizable repository of pf.conf files and corresponding 'pfctl -s?' output files to help users get up to speed quickly without having to spend a lot of time Googling around for examples and documents. The site is simple to navigate and textbrowser-friendly:

pf-repository (https://solarflux.org/pf/)

Solar finally found something he wants to talk about. 8)

It's all coming together nicely and is a great place to look for all things pf. PF was ported to FreeBSD 5 is case anyone missed that. SolarfluX has been running it and on OpenBSD so maybe you could ask him something about that too.

I know look SolarfluX finally made a post! :shock:

Let's just hope this is the first of many. Welcome!

If you guys haven't checked out the pfr yet, make a point to stop by. You won't be disappointed.

Speaking of pf for FreeBSD, I just received a message from Pyun YongHyeon (who ported it to FreeBSD 5.0) and he submitted his pf.conf for inclusion in the repository. I added it a few minutes ago.

8)

I'm also going to add my pf.conf for FreeBSD tonight. My OBSD one still needs an overhaul, so that will have to come later.

----------------------------
https://solarflux.org/pf/

would somebody be so kind to tell me how to translate this over to pf

[code:1:79dde93a14]
block in quick all with ipopts
block in quick all with frag
block in quick all with short
block return-rst in quick proto tcp all flags FUP
block return-rst in log quick on xl0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on ed0 proto udp from any to any
[/code:1:79dde93a14]

would somebody be so kind to tell me how to translate this over to pf

[code:1:9adaf667c7]
block in quick all with ipopts
block in quick all with frag
block in quick all with short
block return-rst in quick proto tcp all flags FUP
block return-rst in log quick on xl0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on ed0 proto udp from any to any
[/code:1:9adaf667c7]

[code:1:9adaf667c7]
# block in quick all with ipopts # I think this is when scanners use illegal flag combos,
# unsure of the entire list, seen so many different ones
?

# block in quick all with frag
# block in quick all with short
scrub in on $xif all fragment reassemble # normalize frags, overlaps, shorts, etc. should
# take care of this

# block return-rst in quick proto tcp all flags FUP # might be the same, not sure
?

# block return-rst in log quick on xl0 proto tcp from any to any
block return-rst in log quick on $xif proto tcp all

# block return-icmp-as-dest(port-unr) in log quick on ed0 proto udp from any to any
block return-icmp in log quick on $xif proto udp all
[/code:1:9adaf667c7]

Someone please check my work and add the ones I missed...

Someone please check my work and add the ones I missed...



[code:1:262f2bfbbb]
# block in quick all with ipopts # I think this is when scanners use illegal flag combos,
# unsure of the entire list, seen so many different ones
? -> ipopts dropped by default in PF

# block in quick all with frag
# block in quick all with short
scrub in on $xif all fragment reassemble # normalize frags, overlaps, shorts, etc. should
# take care of this

# block return-rst in quick proto tcp all flags FUP # might be the same, not sure
? -> block return-rst in quick on $xif inet proto tcp from any to any flags FUP/FUP


# block return-rst in log quick on xl0 proto tcp from any to any
block return-rst in log quick on $xif proto tcp all

# block return-icmp-as-dest(port-unr) in log quick on ed0 proto udp from any to any
block return-icmp in log quick on $xif proto udp all
[/code:1:262f2bfbbb]

My additions are beside your question marks SolarfluX, denoted as such: ? ->. If I understood you correctly... that is... that's where you wanted the rules finished :D I'm super tired so I could be way off on what you were asking :roll:

For all the block return statements, 3.3 now allows you to shorten as

block return

[code:1:0de78bdf87]
? -> ipopts dropped by default in PF
? -> block return-rst in quick on $xif inet proto tcp from any to any flags FUP/FUP

[/code:1:0de78bdf87]
My additions are beside your question marks SolarfluX, denoted as such: ? ->. If I understood you correctly... that is... that's where you wanted the rules finished :D I'm super tired so I could be way off on what you were asking :roll:
No, you hit it right on the head; thanks, |MiNi0n|!

Looking forward to seeing your example pf.conf and pfctl outputs...

8)

For all the block return statements, 3.3 now allows you to shorten as

block return
Hrm... could you set up us an example (hehe) with the corresponding pf rule expansion (pfctl -sr) for it?

Until then, I'll continue to be explicit in my block return rules; it can't hurt, anyhow.

Hrm... could you set up us an example (hehe) with the corresponding pf rule expansion (pfctl -sr) for it?

Heh, hate to say it, but RTFM =)

taken from pf faq:
http://www.openbsd.org/faq/pf/shortcuts.html

Return Simplification

A ruleset used to block packets and reply with a TCP RST or ICMP Unreachable response could look like this:

block in all
block return-rst in proto tcp all
block return-icmp in proto udp all
block out all
block return-rst out proto tcp all
block return-icmp out proto udp all

This can be simplified as:

block return

When PF sees the return keyword, it's smart enough to send the proper response, or no response at all, depending on the protocol of the packet being blocked.

No, you hit it right on the head; thanks, |MiNi0n|!

Looking forward to seeing your example pf.conf and pfctl outputs...

8)

Kewl :D

I'm quite heavily working on a few different pf.conf files for a few different setups (like 3 quite different ones). Once I'm *fully* content and satisfied with 'em I'll be happy to add 'em to your repository!

Cheers :)

Ok bsdjunkie/Ghent19, I'll check it out... Kinda want to see how pf expands that out.

I kinda skimmed over the new FAQ, except for the queueing section. Haven't had time due to collecting all those great PF resources. I'll go back and read it thoroughly, promise! Since we're in a bit of a lull (no activity in irc, no new submissions), I'll have time this weekend to grok it fully.

Ok bsdjunkie/Ghent19, I'll check it out... Kinda want to see how pf expands that out.

I kinda skimmed over the new FAQ, except for the queueing section. Haven't had time due to collecting all those great PF resources. I'll go back and read it thoroughly, promise! Since we're in a bit of a lull (no activity in irc, no new submissions), I'll have time this weekend to grok it fully.

your not allowed to have freetime... i think we need to find something to keep solar busy... :twisted:

heh, What is this "FreeTime" thing you speak of? :twisted:

Dam, too bad I had to run out and pick up Unreal 2 on Saturday...

The PF FAQ will have to wait a bit longer.

:roll:

Anyway, just wanted to send along a little update. The email address for pf-r submissions is now:

pf-r{at}solarflux{dot}org

Trying to avoid harvesting and keep it clean. Now that I have it set up, it's probably a good time to email Dan Hartmeier and inform him of our project, and get some feedback.

Oh, I think I'm also going to post to OBSDJ and maybe /. sometime soon, seeing as we've stagnated a bit the last few days. As always, if anyone knows of people who want to come and hang out in #pf on irc.freenode.net, spread the word.