Re: Another PF question

[Henning Brauer <lists-openbsd_(_at_)_bsws_(_dot_)_de>]

On Thu, Mar 13, 2003 at 12:46:35PM +0000, Nuno Branco wrote:
> On Thu, 2003-03-13 at 12:22, Dom De Vitto wrote: 
> > You're using and understand keep state & it's siblings, right?
> > Can multiple host rules be turned into a single subnet rule?
> > Can groups be used to reduce the number of config file lines?
> I tought that GROUP and HEAD was gone.

yes, they are.

> Did I only read half of the
> documentation?

sometimes I think he didn't.

> The idea here is to have each user with a strict ruleset, without hitting
> performance (too bad at least)

sounds like a prime candidate for using anchors ;-)

using quick makes a lot of sense in your setup, and the pure rule count
should not hurt you much. the only thing is skip steps calculation once when
you load the rules, and performance of the calcualtion increased
dramatically after 3.2.

without knowing too much about your setup, it sure sounds like you want
anchors, one for each luserhost.

like, somewhere in your ruleset,

  anchor luserhosts

(you can even make that conditional:
  anchor luserhosts from $lusernet to ...
)

and load the rules for each luserhost independently then instead of
reloading the whole ruleset each time, like, when you hand out a new lease
for host a, and its IP is $hosta:
  pfctl -a luserhosts:hosta -f /path/to/rules/for/hosta
then same for host b:
  pfctl -a luserhosts:hostb -f /path/to/rules/for/hostb
and remove them independently when the host a is gone:
  pfctl -a luserhosts:hosta -Fr
  
> More and smaller firewalls (like someone sugested) is not an option.

that was very bad advice.

-- 
http://2suck.net/hhwl.html
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)