> -----Original Message----- > From: Jason Crawford [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 23, 2005 5:25 PM > To: Will H. Backman > Cc: j knight; Misc OpenBSD > Subject: Re: /usr/share/pf/ suggestion > > On 8/23/05, Will H. Backman <[EMAIL PROTECTED]> wrote: > > > -----Original Message----- > > > From: j knight [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, August 23, 2005 4:47 PM > > > To: Will H. Backman > > > Subject: Re: /usr/share/pf/ suggestion > > > > > > --- Quoting Will H. Backman on 2005/08/23 at 14:59 -0400: > > > > > > > Would it be useful to add an example pf rule set for just a simple > > host? > > > > All of the examples assume a router. > > > > > > > > > > This would be more useful in the faq. Please send what you've written. > > > > > > :-) > > > > > > > > > > > > .joel > > > > # pf rules for a stand alone machine. > > > > #Change external interface to match yours > > ext_if=xl0 > > > > scrub in all > > > > block in all > > > > pass out keep state > > > > pass quick on lo all > > > > First off, it should be, set skip on lo0 (or lo, but by default > there's only one lo interface anyways). Secondly, it seems pretty > pointless to setup pf on a single host. Instead of worrying about the > firewall, which takes up more memory and cpu and all that, just shut > off services that you don't need and be done with it. If the attacker > can hurt your OpenBSD machine, then your firewall is vulnerable as > well, and it won't protect any applications that need open ports > listening. Turning off services is always much better than turning on > services (pf) if you need protection. And the way OpenBSD is setup by > default, nothing is listening except a couple inetd services (which I > always turn off), and sshd if you said y in install, that's it. > > Jason
I agree in general, but then start adding the gnome or kde desktop or other applications and you never know what is listening.