On 8/23/05, Will H. Backman <[EMAIL PROTECTED]> wrote: > > -----Original Message----- > > From: j knight [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 23, 2005 4:47 PM > > To: Will H. Backman > > Subject: Re: /usr/share/pf/ suggestion > > > > --- Quoting Will H. Backman on 2005/08/23 at 14:59 -0400: > > > > > Would it be useful to add an example pf rule set for just a simple > host? > > > All of the examples assume a router. > > > > > > > This would be more useful in the faq. Please send what you've written. > > > > :-) > > > > > > > > .joel > > # pf rules for a stand alone machine. > > #Change external interface to match yours > ext_if=xl0 > > scrub in all > > block in all > > pass out keep state > > pass quick on lo all >
First off, it should be, set skip on lo0 (or lo, but by default there's only one lo interface anyways). Secondly, it seems pretty pointless to setup pf on a single host. Instead of worrying about the firewall, which takes up more memory and cpu and all that, just shut off services that you don't need and be done with it. If the attacker can hurt your OpenBSD machine, then your firewall is vulnerable as well, and it won't protect any applications that need open ports listening. Turning off services is always much better than turning on services (pf) if you need protection. And the way OpenBSD is setup by default, nothing is listening except a couple inetd services (which I always turn off), and sshd if you said y in install, that's it. Jason
