[wplug] pf and openbsd
Mackenzie Morgan
macoafi at gmail.com
Wed Feb 6 17:01:03 EST 2008
Before messing with iptables, set a little script to undo whatever you did
after 5 minutes when you mess with it so you can test out the changes, that
way if you *do* lock yourself out, you know 1) not to use those settings 2)
how to get back in
On Feb 6, 2008 11:15 AM, Teodorski, Chris <teodorski at ppg.com> wrote:
>
> I would LOVE to hear a pf tutorial. I *kinda* know Iptables, at least
> enough to lock myself out of my own server, but I know nothing of pf.
>
> Chris
>
> Sorry for the top post -- kinda of hard to correct once it has been top
> posted.
>
> -----Original Message-----
> From: wplug-bounces+teodorski=ppg.com at wplug.org [mailto:
> wplug-bounces+teodorski=ppg.com at wplug.org] On Behalf Of Michael Semcheski
> Sent: Wednesday, February 06, 2008 10:42 AM
> To: General user list
> Subject: Re: [wplug] pf and openbsd
>
> Just in case we don't get a pf tutorial at an upcoming GUM, but your
> interest in pf and OpenBSD is piqued, check out:
>
> http://www.openbsd.org/faq/pf/index.html
>
> pf is a fantastic firewall. I don't know if you can do everything in
> iptables that you can with pf. e.g., authpf. authpf alllows you to
> add special firewall rules for people who have authenticated. For
> example, you could set things up to only allow connections to a
> certain port if the user is already connected via ssh.
>
>
>
> On Feb 6, 2008 9:13 AM, Duncan Hutty <dhutty+wplug at ece.cmu.edu> wrote:
> > Brian A. Seklecki wrote:
> > > Move fast. Time of of the essence. Put an OpenBSD box in front of it
> > > running pf(4) and pray that no one ever reads your SMTP headers.
> > >
> > > ~BAS
> > >
> > Bad Lava. I don't think he was looking for BSD evangelism.
> >
> > You know that it's perfectly possible to run nice safe linux boxen as
> routers for this situation. You should also be aware that there are plenty
> of large organisations including local .edu installations that have linux
> machines on publicly routable addresses without firewalls or NAT without
> getting compromised all the time.
> >
> > The OP should realise the risks (which it appears that he does) and
> > assess whether he has the skills/knowledge/time (or the inclination to
> > learn them) in order to mitigate those risks down to what he considers
> > to be acceptable levels for this situation. This is the fundamental
> > question in security. And well you know it.
> >
> > If, on the other hand, you want to suggest that OpenBSD/pf would be a
> > better solution for this situation. I'm sure wplug would be interested
> > in a presentation complete with analysis and howto:)
> > --
> > Duncan Hutty
> >
> > _______________________________________________
> > wplug mailing list
> > wplug at wplug.org
> > http://www.wplug.org/mailman/listinfo/wplug
> >
>
> [Teodorski, Chris]
>
>
>
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>
--
Mackenzie Morgan
Linux User #432169
ACM Member #3445683
http://ubuntulinuxtipstricks.blogspot.com <-my blog of Ubuntu stuff
apt-get moo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20080206/27d806e9/attachment.html
More information about the wplug
mailing list