[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf-newbie Q: Migrating from ip-filter to pf



Hi,

OK, first, I still use ip-filter, I have never tried to use packet-
filter, so you may consider me a pf-newbie :-) If you don't like
newbies I'm perfectly ok with that, just delete the mail :-)

I have read pf-howto and pfctl(8) and pf.conf(5) but still please
excuse me if I have some previously discussed questions. If so,
please refer me to the appropriate source - thanks.

First, I must admit that coming from ip-filter I first look at
what is and what is not supported.

The first thing I discovered is that pf does not support
groups. I may just need a brain-patch :-), but I really think
that groups are neat.

Apart from not having to code support for groups, and that skip-
step provide an alternate means of optimization, what is the
reason not to provide such support? I am sure this has been
discussed somewhere, but please enlighten me.

Second, how do I delete a rule from the active ruleset?

Third, accounting, there seem to be no "count" keyword, I see
that packets are counted for each rule they match, if accounting
has been enabled for that interface.

The documentation states that when using state-full filtering
packets will still be counted for the rule that created the state
entry. So writing pass rules instead of count rules should suf-
fice.

I'd like to have the overall statistics and the host specific for
accounting purposes.

Will

  block in on fxp0 from any to any
  pass  in on fxp0 from 172.16.0.0/16 to any keep state
  pass  in quick on fxp0 from 172.16.1.1/32 to any keep state

Count traffic from 172.16.1.1 in both rules? (then I guess it
will also be counted in the previos block rule?) Or do I need to
script my way to overall statistics?

In the above example I would get the upload, but I am more inte-
rested in the download. (well in fact, I'd like both). Since I use
keep state,

  pass out on fxp0 from any to 172.16.0.0/16
  pass out quick on fxp0 from any to 172.16.1.1/32

would not be mathed. How do I get both up- and download?

Finally, from the documentation it appears that there is no such
thing as an active and an inactive ruleset?, pfctl cannot swap?

Thanks,

Erik Norgaard

GnuPG Key: http://www.locolomo.org/home/norgaard/norgaard.gpg.asc
pub  1024D/B02CC311 2004-04-05 Erik Norgaard <norgaard_(_at_)_locolomo_(_dot_)_org>
     Key fingerprint = 6C11 B9B1 52BD F16D 34AD  9893 D3EC E6DB B02C C311



Visit your host, monkey.org