Contributed by jose on from the merged dept.
"This articles includes everything I need to know about the new pf syntax. As well some great information on altqd.I had a look at this last night, and it looks pretty useful. I've been meaning to dig in to the new bandwidth throttling features of the merged PF and altqd, now looks like a good time to start.
(Comments are closed)
By Shane () on
Seems a bit backwards to suggest reading the man pages after you have the firewall set up. Still, not a bad resource.
By Ben Goren () ben@trumpetpower.com on http://www.trumpetpower.com/
There's good stuff there, but there're also some things you'll want to take with a good-sized grain of salt.
First, don't just go blindly turning off everything. Important cron jobs deliver their output via email; disabling sendmail without making appropriate provisions could well keep you from learning of a crisis (disk full, unexpected network connections, whatever). ntpd can be useful, even on a firewall, to ensure that log files have coordinated timestamps. (Of course, you want to be darn careful of how it's configured.) And so on….
Don't bother with making your own kernel unless you've got a damn good reason to do so. The paper doesn't give any reason, let alone a good one. GENERIC is fantastic for firewalls.
Don't start randomly adjusting sysctls, either. As shipped, the system is already overkill for nearly any kind of Internet connection a mere mortal is ever likely to control. Why try to get more performance out of it unless it's too slow and you actually understand the ramifications of what you're doing?
But, having said that, the sample configurations and the like look useful.
Cheers,
b&
Comments
By niekze () on
one thing that bugs me though is ntpd. no man page, the html docs leave a lot of questions, and the example configs are quite strange. Mind providing us with 2 ntpd configs? 1 that synchronizes with an outside server and another where the rest of the machines get the time from it. that would work fine for most people.
Comments
By Anonymous Coward () on
ntp.conf
driftfile /etc/ntp.drift
server 11.22.33.44
restrict default nomodify ignore notrust
restrict 11.22.33.44 noquery nomodify notrap nopeer
restrict 10.0.0.0 mask 255.0.0.0 nomodify nopeer
restrict 127.0.0.1
rc.conf
ntpd=YES
ntpdate=11.22.33.44
ntpdate runs at boot before ntpd - if your clock is far away from 11.22.33.44 ntpdate will get it in step much more rapidly than ntpd.
ntp.drift keeps your clock reasonably accurate when you're disconnected from the network.
You do need to reboot for this, ntpd should start *before* securelevel is set, rc knows about this and does things in the correct order.
Check it's up and running with 'ntptrace'. It will usually take a few minutes after startup for things to settle sufficiently for ntpd to give time to clients.
~> sthen@eeyore$ ntptrace
localhost.37.spacehopper.org: stratum 2, offset 0.000260, synch distance 0.55710
ntp1.linx.net: stratum 1, offset -0.091382, synch distance 0.00000, refid '1PPS'
Also see /usr/local/share/examples/ntp/ and of course the documentation that comes with the distribution (maybe /usr/ports/net/ntp/).
By Anonymous Bastard () on
This page describes how to make it work in Linux's CBQ: http://mailman.ds9a.nl/pipermail/lartc/2001q4/001831.html
Is such thing possible at all in current Altq on openbsd? When i upload something on my silly DSL, ACK packets get lost and download speed goes almost to zero :-( By giving ACKs the highest priority it should be fixed
Any hints, suggestions & links to RTFM are greatly appreciated
Comments
By jolan () on
By Mucman () mucmanATmucmail.com on N/A
I am planning on making a bridging firewall, and keep my Freesco box doing NAT. I would love to see some docs on this kind of setup. I don't plan
on having any IP addresses on the firewall box.
One thing that I don't like about the article is that the author does not really describe "WHY" for a few of the things he did.
Comments
By Anonymous Coward () on
http://ezine.daemonnews.org/200207/transpfobsd.html
http://www.openbsd.org/faq/faq6.html#PF
http://www.openbsd.org/faq/faq6.html#Bridge
There are of course certain advantages to just using a single box for firewall and NAT (faster processing, integrated pf/nat state table, avoiding having interfaces in promiscuous mode, less noise and lower electricity use :-)
Comments
By Mucman () mucmanATmucmail.com on mailto:mucmanATmucmail.com