[wplug] pf and openbsd

Teodorski, Chris teodorski at ppg.com
Wed Feb 6 11:15:50 EST 2008 

I would LOVE to hear a pf tutorial. I *kinda* know Iptables, at least enough to lock myself out of my own server, but I know nothing of pf.

Chris

Sorry for the top post -- kinda of hard to correct once it has been top posted.

-----Original Message-----
From: wplug-bounces+teodorski=ppg.com at wplug.org [mailto:wplug-bounces+teodorski=ppg.com at wplug.org] On Behalf Of Michael Semcheski
Sent: Wednesday, February 06, 2008 10:42 AM
To: General user list
Subject: Re: [wplug] pf and openbsd

Just in case we don't get a pf tutorial at an upcoming GUM, but your
interest in pf and OpenBSD is piqued, check out:

http://www.openbsd.org/faq/pf/index.html

pf is a fantastic firewall.  I don't know if you can do everything in
iptables that you can with pf.  e.g., authpf.  authpf alllows you to
add special firewall rules for people who have authenticated.  For
example, you could set things up to only allow connections to a
certain port if the user is already connected via ssh.



On Feb 6, 2008 9:13 AM, Duncan Hutty <dhutty+wplug at ece.cmu.edu> wrote:
> Brian A. Seklecki wrote:
> > Move fast.  Time of of the essence.  Put an OpenBSD box in front of it
> > running pf(4) and pray that no one ever reads your SMTP headers.
> >
> > ~BAS
> >
> Bad Lava. I don't think he was looking for BSD evangelism.
>
> You know that it's perfectly possible to run nice safe linux boxen as routers for this situation. You should also be aware that there are plenty of large organisations including local .edu installations that have linux machines on publicly routable addresses without firewalls or NAT without getting compromised all the time.
>
> The OP should realise the risks (which it appears that he does) and
> assess whether he has the skills/knowledge/time (or the inclination to
> learn them) in order to mitigate those risks down to what he considers
> to be acceptable levels for this situation. This is the fundamental
> question in security. And well you know it.
>
> If, on the other hand, you want to suggest that OpenBSD/pf would be a
> better solution for this situation. I'm sure wplug would be interested
> in a presentation complete with analysis and howto:)
> --
> Duncan Hutty
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>

[Teodorski, Chris]

More information about the wplug mailing list