On Fri, Aug 08, 2003 at 04:17:49PM -0400, J. Sabino wrote: > First, I've read that pf is configured by default with an implicit allow > all policy, I take that to mean that if you simply turn on pf and do not > load any pf.conf file (filtering or nat rules, etc), the policy will > allow everything, is this correct?
Yes, correct. > [...] I see the rule that allows tcp, udp and icmp out the > external interface and with the use of keep state, replies would be let > back in to the external interface but the internal interface (I think) > would block these connections. Am I missing something? No, you are right. The ruleset will not allow internal hosts to open connections to external hosts, only to the firewall itself (and the rule that allows that is explicit, so I presume this is intentional). I take it that you find such a policy useless and expect an example firewall to allow local hosts to talk to the Internet :) But this is a common policy: block all traffic and allow specific services. That firewall might be running a DNS server, with the local hosts being configured to use it. So they can resolve names. Then run a http proxy on the firewall (like squid) and configure the local hosts to use it. Now the local hosts can surf the web, without ever talking to an external host directly. The http proxy can log and filter out unwanted content (like virii, pop-up ads or porn) and rewrite http traffic (filtering exploits trying to overflow a web browser). If you want to allow direct outgoing connections, you'll have to add pass rules for the internal interface (or change the two existing rules that limit traffic to the firewall itself). Agreed, many (if not most) people will eventually do that. But I think the ruleset is not a bad example. Maybe it should mention all of this in a comment, describing the policy in plain english. Daniel