On Mon, 6 Oct 2008 04:51:01 -0700, Jeremy Chadwick <[EMAIL PROTECTED]> wrote: >> I run my laptop with a `pf.conf' that (putting most of the comments and >> other disabled rules for one-off tests aside) looks pretty much like: >> >> set block-policy drop >> set require-order yes >> set skip on lo0 >> scrub in all >> block in all >> block out all >> pass in quick proto icmp all >> pass out quick proto icmp all >> pass out proto { tcp, udp } all keep state > > A couple things to point out here: > > First, ICMP rules coming first (especially with "quick") might not be > ideal; ICMP is often considered a "last resort" protocol, meaning TCP > and UDP packets should have priority over it. It all depends on what > you want, but this is often the industry norm.
That's nice. > Second, and much more importantly, if you're on RELENG_7, "keep state" > serves no purpose here; "flags S/SA" is implicit on TCP rules, and > "keep state" is implicit in TCP, UDP, and ICMP rules. 8.0-CURRENT so `flags S/SA' is indeed implicit. I updated the rules to include `flags S/SA' too. Both this part and `keep state' are implicit now, but I like being slightly less verbose because I tend to forget what is `default' and what is not, at the expense of being slightly more verbose :) > Happy firewalling! :-) Thanks :) _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"