On Sat, Oct 14, 2017 at 10:46:55AM +0200, Jesper Wallin wrote: > Hi > > So, some background... I raised my concerns to phessler@ about the low > default configuration values. This was about a year ago when I noticed > how quick I could fill all states and stop the machine from accepting > new connections. > > He kindly explained that the defaults are set low to accommodate for > machines with little memory and that an admin needs to adjust the states > table if they run a busy server, which makes sense. I'm also aware that > henning@ is working on a neat solution for this. > > Though, I was a bit surprised to see that neither pf(4) or pf.conf(5) is > mentioned in afterboot(8), when things like lpd(8), smtpd(8) and packages > are. > > The patch below adds a small section, pointing the admin to the pf(4) > and pf.conf(5) man pages. > > > Jesper Wallin >
hi. i suspect pf is not described this way because it is relatively well known, and it probably never occurred to anyone. unfortunately i don;t think the situation is so simple, and i don't see a good way to do this right now. if you read afterboot(8), it is more written as a list of things to check when doing installs on a single machine, but less so for router-like setups. bear in mind that even if you don;t do anything after installing, the pf setup that's there will probably be good for many setups anyway. it has always been a little unclear about what should qualify for this page and what shouldn;t. the pf stuff probably would most naturally be around the text instructing users to enable/disable various daemons. that text points to intro(8), which also does not list pf. the intro docs themselves are not really satisfactory either. so there are bigger questions, at least in my mind: is the current format of afterboot(8) ideal? and what should make the cut for inclusion? right now we're adding bits on willy-nilly, and making the page less and less helpful, i fear. also pages like this have a bit of overlap with what the faq does... jmc > > Index: afterboot.8 > =================================================================== > RCS file: /cvs/src/share/man/man8/afterboot.8,v > retrieving revision 1.160 > diff -u -p -r1.160 afterboot.8 > --- afterboot.8 7 Sep 2017 13:08:39 -0000 1.160 > +++ afterboot.8 14 Oct 2017 08:16:35 -0000 > @@ -425,6 +425,14 @@ To do this, change the value of > .Va xenodm_flags > in > .Pa /etc/rc.conf.local . > +.Ss Firewall > +Edit > +.Pa /etc/pf.conf > +to configure the packet filter. > +For more information on what features > +.Xr pf 4 > +has to offer and how to configure them properly, see > +.Xr pf.conf 5 . > .Ss Set keyboard type > Some architectures permit keyboard type control. > Use the >
