Hacker News new | past | comments | ask | show | jobs | submit login
I asked ChatGPT to write a pf.conf to spec (nxdomain.no)
17 points by cjg on June 7, 2023 | hide | past | favorite | 5 comments



The author is not aware that GPT-3.5 does not look up information from HTTP links.

They should try again but with GPT-4 and manually pasting in the man pages.


Here is the responce with GPT-4 and it reading the links itself:

Based on the documentation from OpenBSD's PF and spamd manual pages, and with the assumption that the network interfaces are already configured correctly on the server, here is an example of a `pf.conf` configuration that could satisfy your requirements. This configuration will:

1. Block all traffic by default. 2. Allow traffic from the local host. 3. Allow DNS resolution. 4. Allow NTP and SSH out from the DMZ. 5. Allow HTTP and HTTPS to pass through to the web server. 6. Allow SMTP traffic that has been whitelisted by spamd to pass to the mail server.

  ```pf.conf
  # Define network interfaces
  ext_if = "em0"  # replace with your external interface
  dmz_if = "em1"  # replace with your DMZ interface
  local_if = "lo0"

  # Define ports
  web_ports = "{ http, https }"
  ssh_port = "22"
  ntp_port = "123"
  dns_ports = "{ 53, 853 }"
  smtp_port = "25"

  # Default deny policy
  block all

  # Allow all traffic from the local host
  pass quick on $local_if all
  
  # Allow DNS resolution
  pass out on $ext_if proto { tcp, udp } to any port $dns_ports keep state

  # Allow NTP and SSH out from the DMZ
  pass out on $dmz_if proto tcp to any port $ssh_port keep 
  state
  pass out on $dmz_if proto udp to any port $ntp_port keep 
  state

  # Allow HTTP and HTTPS to the web server
  pass in on $ext_if proto tcp to ($ext_if) port $web_ports 
  flags S/SA keep state

  # Allow SMTP traffic that has been whitelisted by spamd to 
  pass to the mail server
  table <spamd-white> persist
  pass in on $ext_if proto tcp from <spamd-white> to any port 
  $smtp_port flags S/SA keep state
  ```
Please replace "em0" and "em1" with the correct external and DMZ interfaces respectively.

This configuration starts with a default block policy, then includes specific pass rules for local traffic, DNS, SSH, NTP, web server traffic, and whitelisted SMTP traffic. The `quick` keyword makes PF stop processing rules on the first match, which is useful for high-priority traffic like local traffic. The `keep state` keyword makes PF remember the state of each connection, allowing return traffic to pass. The `flags S/SA` checks the TCP flags in the packet, helping to prevent certain types of attacks.

I was unable to find a direct reference to spamd in the PF documentation, but based on the spamd man page and other resources, it seems that spamd can be used to manage a whitelist of approved senders, which is stored in the <spamd-white> table in PF. You would need to configure spamd separately to manage this table.

Note: This is a simplified example and might need to be adjusted based on your exact network setup, especially if you have more complex needs like multiple subnets or additional services to support.


Yeah, I think pf.conf might be beyond it.

It can perform simple translation tasks; I've had success getting it to output graphviz dot format. But writing that pf.conf requires a (simple) mental model, where it's approaching it as a translation task: one pf.conf section for each line given, translated semi-plausibly.


"A be concise" and "document every step." in the prompt did the trick for me.


Give LLMs five more years and this won't be an issue. The fact that it even gets close is seriously impressive.

For people like me who aren't sysadmins, but simply have to do maintenance tasks on VPSes from time to time, something like this would be a godsend.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: