Re: pf for FreeBSD
On Sat, 2 Oct 2004 15:45:07 -0500, Jay Moore <[EMAIL PROTECTED]> wrote: > On Tuesday 28 September 2004 07:33 am, shane mullins wrote: > > << reformatted to correct top-posting >> > > > > - Original Message - > > >hello folks, > > >i want to install the packet filter for FreeBSD so i recompile the > > > kernel with the options : > > > Why not just run OpenBSD if you want to use pf? I use both Free and > > OpenBSD. But, pf is much easier to set up on OpenBSD. Just install > > OpenBSD, enable routing, enable pf in rc.conf and you are done. > > > > Shane > > Why not...? One reason might be that he is not a masochist. > > Jay > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > I hate to say this because I bear no hostility towards openBSD, but there are many reasons to opt for freebsd. I know I did when I just built a firewall. My reason was multiprocessor support. While FreeBSD on SMP is gorgeous and intricate, under oBSD, it is non-existant until next version. Further, I am more used to FreeBSD and adminning OS's that you are less used to is generally a bad idea when setting up machines. The hardware support for FreeBSD is also decidedly more vast than that of oBSD and the performance of fBSD generally faster. -- If I write a signature, my emails will appear more personalised. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf for FreeBSD
On Tuesday 28 September 2004 07:33 am, shane mullins wrote: << reformatted to correct top-posting >> > > - Original Message - > >hello folks, > >i want to install the packet filter for FreeBSD so i recompile the > > kernel with the options : > Why not just run OpenBSD if you want to use pf? I use both Free and > OpenBSD. But, pf is much easier to set up on OpenBSD. Just install > OpenBSD, enable routing, enable pf in rc.conf and you are done. > > Shane Why not...? One reason might be that he is not a masochist. Jay ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf for FreeBSD
On Sep 28, 2004, at 8:33 AM, shane mullins wrote: Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. I can tell you in my case OpenBSD doesn't provide drivers for the hardware I have. -- Michael Conlen [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf for FreeBSD
Switching OSes is not a choice. Now i done it !!! It seems that pf was allready installed with the base system, although i can't seem to find the installed binaries. I issued a pkg_delete to remove the old pf and than reinstall pf from sources with ALTQ. Now it works smoothly ... and I am a happy man. Though I still wondering why the installed pf wasn't working Cristi "Michael E.Conlen" wrote: > On Sep 28, 2004, at 8:33 AM, shane mullins wrote: > > >Why not just run OpenBSD if you want to use pf? I use both Free > > and OpenBSD. But, pf is much easier to set up on OpenBSD. Just > > install OpenBSD, enable routing, enable pf in rc.conf and you are > > done. > > > > I can tell you in my case OpenBSD doesn't provide drivers for the > hardware I have. > > -- > Michael Conlen > [EMAIL PROTECTED] > > --- > This message and its contents have been scanned and certified for > transmission as being free from malicious code by <>. This > message may contain confidential, privileged or other legally protected > information. It is intended for the addressee(s) only. If you are not the > addressee, or someone the addressee authorized to receive this message, you > are prohibited from copying, distributing or otherwise using it. Please > notify the sender and return it.Thank you. > > --- This message and its contents have been scanned and certified for transmission as being free from malicious code by <>. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf for FreeBSD
On Tue, 28 Sep 2004 09:54:18 +0200 Cristi Tauber <[EMAIL PROTECTED]> wrote: > hello folks, > i want to install the packet filter for FreeBSD so i recompile the > kernel with the options : > > device bpf > options PFIL_HOOKS > options RANDOM_IP_ID > > and installed pf from ports ( i did a cvsup before installing to > get the latest ports). Now my dilemma is ... in pf start script ... i > have to enter a prefix ... but what prefix, 'cause after installing > and rebooting the modules that I want to load are still in source > directory . I installed pf with Does the prefix by chance refer to the full path to the script (i.e. /usr/local/etc/rc.d/pf.sh)? Read the comments in the script; it will tell you what you need to do to /etc/rc.conf to get things started on bootup. > >make WITH_ALTQ=yes >make install I've been running pf on two separate FBSD 5.2.1 boxes for weeks without adding this switch. Only thing that doesn't work that great is spamd logging but otherwise I prefer pf over ipf and ipfw any day -- even on a ported OS... Cheers, EB ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[OT] Re: pf for FreeBSD
Hi Cristi, it crossed my mind to run openBSD but i have to reinstall the server and the applications (mysql, qmail,etc ...) and besides that ... i know that openbsd can't take advantage of SMP servers. I don't know if newer versions 'see' SMP but an older (i don't precisely know the version but it was the lastest i got in january this year) one i was trying to setup can't ! http://www.openbsd.org/36.html#new 3.6 is in CVS and will be released November 1. I believe that if you hurry and install a snapshot from September 17 or before, you'll be able to jump to 3.6. Don't take my word for it, though. Bye... Nico ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: pf for FreeBSD
IMHO its not very hard in FreeBSD 5.3 either now its in the base. The only additional step to what you describe below is adding the kernel options & building/installing the kernel to include them, which is only 2 commands. However, some of the log analysis ports I've tried (fwanalog... & another the name of which slips my mind, damn) do not work with the FreeBSD implementation of tcpdump :-( I suppose, with OpenBSD's complete focus on security if I was building a dedicated firewall I would very probably select OpenBSD. Depends what other things Cristi is using FreeBSD for. Phil. > -Original Message- > From: shane mullins [mailto:[EMAIL PROTECTED] > Sent: 28 September 2004 13:34 > To: Cristi Tauber > Cc: [EMAIL PROTECTED] > Subject: Re: pf for FreeBSD > > > Why not just run OpenBSD if you want to use pf? I use > both Free and > OpenBSD. But, pf is much easier to set up on OpenBSD. Just install > OpenBSD, enable routing, enable pf in rc.conf and you are done. > > Shane > > > > > - Original Message - > From: "Cristi Tauber" <[EMAIL PROTECTED]> > To: "FreeBSD Question" <[EMAIL PROTECTED]> > Sent: Tuesday, September 28, 2004 12:54 AM > Subject: pf for FreeBSD > > > >hello folks, > >i want to install the packet filter for FreeBSD so i > recompile the > > kernel with the options : > > > > device bpf > > options PFIL_HOOKS > > options RANDOM_IP_ID > > > > and installed pf from ports ( i did a cvsup before installing to > > get the latest ports). Now my dilemma is ... in pf start > script ... i > > have to enter a prefix ... but what prefix, 'cause after > installing and > > rebooting the modules that I want to load are still in source > > directory . I installed pf with > > > > make WITH_ALTQ=yes > > make install > > > > after a deinstall I can't install it anymore, the install > > crashes with the error that is allready installed !! > > > > What can I do ??/ > > > >Cristi > > > > > > > > > > ___ > > [EMAIL PROTECTED] mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "[EMAIL PROTECTED]" > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: pf for FreeBSD
The fact you only have to maintain one OS is one great advantage. One ports tree, one system to patch for security updates. The learning curve to use FreeBSD's pf is negligible imo. As long as kernel support is compiled in for it, and you have the users in your /etc/passwd it just works. Least for me as I have been using it since it was introduced as a kernel kld, and sometime shortly after it became a native module to freebsd. Its imo easier to maintain that say ipfw, as well as faster. -Original Message- From: shane mullins [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 2:34 PM To: Cristi Tauber Cc: [EMAIL PROTECTED] Subject: Re: pf for FreeBSD Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane - Original Message - From: "Cristi Tauber" <[EMAIL PROTECTED]> To: "FreeBSD Question" <[EMAIL PROTECTED]> Sent: Tuesday, September 28, 2004 12:54 AM Subject: pf for FreeBSD >hello folks, >i want to install the packet filter for FreeBSD so i recompile the > kernel with the options : > > device bpf > options PFIL_HOOKS > options RANDOM_IP_ID > > and installed pf from ports ( i did a cvsup before installing to > get the latest ports). Now my dilemma is ... in pf start script ... i > have to enter a prefix ... but what prefix, 'cause after installing and > rebooting the modules that I want to load are still in source > directory . I installed pf with > > make WITH_ALTQ=yes > make install > > after a deinstall I can't install it anymore, the install > crashes with the error that is allready installed !! > > What can I do ??/ > >Cristi > > > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf for FreeBSD
Hello, it crossed my mind to run openBSD but i have to reinstall the server and the applications (mysql, qmail,etc ...) and besides that ... i know that openbsd can't take advantage of SMP servers. I don't know if newer versions 'see' SMP but an older (i don't precisely know the version but it was the lastest i got in january this year) one i was trying to setup can't ! Cristi > Why not just run OpenBSD if you want to use pf? I use both Free and > OpenBSD. But, pf is much easier to set up on OpenBSD. Just install > OpenBSD, enable routing, enable pf in rc.conf and you are done. > > Shane > > > > > - Original Message - > From: "Cristi Tauber" <[EMAIL PROTECTED]> > To: "FreeBSD Question" <[EMAIL PROTECTED]> > Sent: Tuesday, September 28, 2004 12:54 AM > Subject: pf for FreeBSD > > >>hello folks, >>i want to install the packet filter for FreeBSD so i recompile the >> kernel with the options : >> >> device bpf >> options PFIL_HOOKS >> options RANDOM_IP_ID >> >> and installed pf from ports ( i did a cvsup before installing to >> get the latest ports). Now my dilemma is ... in pf start script ... i >> have to enter a prefix ... but what prefix, 'cause after installing and >> rebooting the modules that I want to load are still in source >> directory . I installed pf with >> >> make WITH_ALTQ=yes >> make install >> >> after a deinstall I can't install it anymore, the install >> crashes with the error that is allready installed !! >> >> What can I do ??/ >> >>Cristi >> >> >> >> >> ___ >> [EMAIL PROTECTED] mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "[EMAIL PROTECTED]" > > > --- > This message and its contents have been scanned and certified for > transmission as being free from malicious code by <>. > This > message may contain confidential, privileged or other legally protected > information. It is intended for the addressee(s) only. If you are not the > addressee, or someone the addressee authorized to receive this message, > you > are prohibited from copying, distributing or otherwise using it. Please > notify the sender and return it.Thank you. > > > > --- This message and its contents have been scanned and certified for transmission as being free from malicious code by <>. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf for FreeBSD
Why not just run OpenBSD if you want to use pf? I use both Free and OpenBSD. But, pf is much easier to set up on OpenBSD. Just install OpenBSD, enable routing, enable pf in rc.conf and you are done. Shane - Original Message - From: "Cristi Tauber" <[EMAIL PROTECTED]> To: "FreeBSD Question" <[EMAIL PROTECTED]> Sent: Tuesday, September 28, 2004 12:54 AM Subject: pf for FreeBSD hello folks, i want to install the packet filter for FreeBSD so i recompile the kernel with the options : device bpf options PFIL_HOOKS options RANDOM_IP_ID and installed pf from ports ( i did a cvsup before installing to get the latest ports). Now my dilemma is ... in pf start script ... i have to enter a prefix ... but what prefix, 'cause after installing and rebooting the modules that I want to load are still in source directory . I installed pf with make WITH_ALTQ=yes make install after a deinstall I can't install it anymore, the install crashes with the error that is allready installed !! What can I do ??/ Cristi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: pf for FreeBSD
Hi, I'm not sure of the dates of when 5.2.1 was released to tell you for sure whether pf is available in the kernel or not. I only started using 5.x when 5.3-Beta was released and pf has always been available in kernel for me. Never used the port. To check if pf is installed/available you could try the command line via which pf is configured i.e. # pfctl -sa (i.e. show all currently configured options for pf). To check if its available in the base system you could try configuring a kernel with the devices in my previous email and see if they're accepted. Thanks, Phil. > -Original Message- > From: Cristi Tauber [mailto:[EMAIL PROTECTED] > Sent: 28 September 2004 11:19 > To: Philip Payne > Cc: FreeBSD Question > Subject: RE: pf for FreeBSD > > > Hello, >i'm using 5.2.1 and i want to recompile pf to take > advantage of ALTQ. > This was the reason for reinstalling. What about that prefix > in startup > script ... this is were i have no clues ... what's the path ... > And another thing ... if i want to install pf now it says that is > allready installed ... strange ... because i can't find it now, not > the binaries nor the modules . >Cristi > > > Hi, > > > >> hello folks, > >> i want to install the packet filter for FreeBSD so i > recompile the > >> kernel with the options : > >> > >> device bpf > >> options PFIL_HOOKS > >> options RANDOM_IP_ID > >> > >> and installed pf from ports ( i did a cvsup before > installing to > >> get the latest ports). Now my dilemma is ... in pf start > script ... i > >> have to enter a prefix ... but what prefix, 'cause after > >> installing and > >> rebooting the modules that I want to load are still in source > >> directory . I installed pf with > >> > >>make WITH_ALTQ=yes > >>make install > >> > >> after a deinstall I can't install it anymore, the install > >> crashes with the error that is allready installed !! > >> > >>What can I do ??/ > > > > I'm using pf without a problem. Not sure what exact version > of FreeBSD 5.x > > you're using. According to /usr/src/UPDATING Since > 08-Mar-2004 pf has been > > part of the base system and doesn't require the pf port to > be installed. > > So, > > a way forward could be to ensure you've updated to latest > 5.x version (cvs > > tag RELENG_5). Then I suggest you read /usr/src/UPDATING as it also > > contains > > some info on the pf groups & users required. > > > > I have the following devices in my kernel: > > device PFIL_HOOKS > > device pf > > device pflog > > > > I have the following in /etc/rc.conf: > > pf_enable="YES" > > pflog_enable="YES" > > pf_rules="" > > > > You will also need the authpf group and the _pflogd user & > group. You can > > get the details by downloading the latest source and > checking the passwd & > > group files under /usr/src/etc. > > > > in /etc/passwd: > > _pflogd:*:64:64:pflogd privesp user:/var/empty:/usr/sbin/nologin > > > > in /etc/group: > > authpf:*:63: > > _pflogd:*:64: > > > > I will leave it to you on how you generate a ruleset. > Personally I use > > fwbuilder.org . > > > > Thanks, > > Phil. > > > > > > > > > > --- > > This message and its contents have been scanned and certified for > > transmission as being free from malicious code by < Antivirus>>. > > This > > message may contain confidential, privileged or other > legally protected > > information. It is intended for the addressee(s) only. If > you are not the > > addressee, or someone the addressee authorized to receive > this message, > > you > > are prohibited from copying, distributing or otherwise > using it. Please > > notify the sender and return it.Thank you. > > > > > > > > > > > --- > This message and its contents have been scanned and certified for > transmission as being free from malicious code by < Antivirus>>. This > message may contain confidential, privileged or other legally > protected > information. It is intended for the addressee(s) only. If you > are not the > addressee, or someone the addressee authorized to receive > this message, you > are prohibited from copying, distributing or otherwise using > it. Please > notify the sender and return it.Thank you. > > > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: pf for FreeBSD
Hello, i'm using 5.2.1 and i want to recompile pf to take advantage of ALTQ. This was the reason for reinstalling. What about that prefix in startup script ... this is were i have no clues ... what's the path ... And another thing ... if i want to install pf now it says that is allready installed ... strange ... because i can't find it now, not the binaries nor the modules . Cristi > Hi, > >> hello folks, >> i want to install the packet filter for FreeBSD so i recompile the >> kernel with the options : >> >> device bpf >> options PFIL_HOOKS >> options RANDOM_IP_ID >> >> and installed pf from ports ( i did a cvsup before installing to >> get the latest ports). Now my dilemma is ... in pf start script ... i >> have to enter a prefix ... but what prefix, 'cause after >> installing and >> rebooting the modules that I want to load are still in source >> directory . I installed pf with >> >>make WITH_ALTQ=yes >>make install >> >> after a deinstall I can't install it anymore, the install >> crashes with the error that is allready installed !! >> >>What can I do ??/ > > I'm using pf without a problem. Not sure what exact version of FreeBSD 5.x > you're using. According to /usr/src/UPDATING Since 08-Mar-2004 pf has been > part of the base system and doesn't require the pf port to be installed. > So, > a way forward could be to ensure you've updated to latest 5.x version (cvs > tag RELENG_5). Then I suggest you read /usr/src/UPDATING as it also > contains > some info on the pf groups & users required. > > I have the following devices in my kernel: > devicePFIL_HOOKS > devicepf > devicepflog > > I have the following in /etc/rc.conf: > pf_enable="YES" > pflog_enable="YES" > pf_rules="" > > You will also need the authpf group and the _pflogd user & group. You can > get the details by downloading the latest source and checking the passwd & > group files under /usr/src/etc. > > in /etc/passwd: > _pflogd:*:64:64:pflogd privesp user:/var/empty:/usr/sbin/nologin > > in /etc/group: > authpf:*:63: > _pflogd:*:64: > > I will leave it to you on how you generate a ruleset. Personally I use > fwbuilder.org . > > Thanks, > Phil. > > > > > --- > This message and its contents have been scanned and certified for > transmission as being free from malicious code by <>. > This > message may contain confidential, privileged or other legally protected > information. It is intended for the addressee(s) only. If you are not the > addressee, or someone the addressee authorized to receive this message, > you > are prohibited from copying, distributing or otherwise using it. Please > notify the sender and return it.Thank you. > > > > --- This message and its contents have been scanned and certified for transmission as being free from malicious code by <>. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: pf for FreeBSD
Hi, > hello folks, > i want to install the packet filter for FreeBSD so i recompile the > kernel with the options : > > device bpf > options PFIL_HOOKS > options RANDOM_IP_ID > > and installed pf from ports ( i did a cvsup before installing to > get the latest ports). Now my dilemma is ... in pf start script ... i > have to enter a prefix ... but what prefix, 'cause after > installing and > rebooting the modules that I want to load are still in source > directory . I installed pf with > >make WITH_ALTQ=yes >make install > > after a deinstall I can't install it anymore, the install > crashes with the error that is allready installed !! > >What can I do ??/ I'm using pf without a problem. Not sure what exact version of FreeBSD 5.x you're using. According to /usr/src/UPDATING Since 08-Mar-2004 pf has been part of the base system and doesn't require the pf port to be installed. So, a way forward could be to ensure you've updated to latest 5.x version (cvs tag RELENG_5). Then I suggest you read /usr/src/UPDATING as it also contains some info on the pf groups & users required. I have the following devices in my kernel: device PFIL_HOOKS device pf device pflog I have the following in /etc/rc.conf: pf_enable="YES" pflog_enable="YES" pf_rules="" You will also need the authpf group and the _pflogd user & group. You can get the details by downloading the latest source and checking the passwd & group files under /usr/src/etc. in /etc/passwd: _pflogd:*:64:64:pflogd privesp user:/var/empty:/usr/sbin/nologin in /etc/group: authpf:*:63: _pflogd:*:64: I will leave it to you on how you generate a ruleset. Personally I use fwbuilder.org . Thanks, Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"