[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
pf-newbie Q: Migrating from ip-filter to pf
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: pf-newbie Q: Migrating from ip-filter to pf
- From: Erik Norgaard <norgaard_(_at_)_locolomo_(_dot_)_org>
- Date: Sat, 17 Apr 2004 21:49:34 +0200 (CEST)
OK, first, I still use ip-filter, I have never tried to use packet-
filter, so you may consider me a pf-newbie :-) If you don't like
newbies I'm perfectly ok with that, just delete the mail :-)
I have read pf-howto and pfctl(8) and pf.conf(5) but still please
excuse me if I have some previously discussed questions. If so,
please refer me to the appropriate source - thanks.
First, I must admit that coming from ip-filter I first look at
what is and what is not supported.
The first thing I discovered is that pf does not support
groups. I may just need a brain-patch :-), but I really think
that groups are neat.
Apart from not having to code support for groups, and that skip-
step provide an alternate means of optimization, what is the
reason not to provide such support? I am sure this has been
discussed somewhere, but please enlighten me.
Second, how do I delete a rule from the active ruleset?
Third, accounting, there seem to be no "count" keyword, I see
that packets are counted for each rule they match, if accounting
has been enabled for that interface.
The documentation states that when using state-full filtering
packets will still be counted for the rule that created the state
entry. So writing pass rules instead of count rules should suf-
I'd like to have the overall statistics and the host specific for
block in on fxp0 from any to any
pass in on fxp0 from 172.16.0.0/16 to any keep state
pass in quick on fxp0 from 172.16.1.1/32 to any keep state
Count traffic from 172.16.1.1 in both rules? (then I guess it
will also be counted in the previos block rule?) Or do I need to
script my way to overall statistics?
In the above example I would get the upload, but I am more inte-
rested in the download. (well in fact, I'd like both). Since I use
pass out on fxp0 from any to 172.16.0.0/16
pass out quick on fxp0 from any to 172.16.1.1/32
would not be mathed. How do I get both up- and download?
Finally, from the documentation it appears that there is no such
thing as an active and an inactive ruleset?, pfctl cannot swap?
GnuPG Key: http://www.locolomo.org/home/norgaard/norgaard.gpg.asc
pub 1024D/B02CC311 2004-04-05 Erik Norgaard <norgaard_(_at_)_locolomo_(_dot_)_org>
Key fingerprint = 6C11 B9B1 52BD F16D 34AD 9893 D3EC E6DB B02C C311
Visit your host, monkey.org