[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf-newbie Q: Migrating from ip-filter to pf


OK, first, I still use ip-filter, I have never tried to use packet-
filter, so you may consider me a pf-newbie :-) If you don't like
newbies I'm perfectly ok with that, just delete the mail :-)

I have read pf-howto and pfctl(8) and pf.conf(5) but still please
excuse me if I have some previously discussed questions. If so,
please refer me to the appropriate source - thanks.

First, I must admit that coming from ip-filter I first look at
what is and what is not supported.

The first thing I discovered is that pf does not support
groups. I may just need a brain-patch :-), but I really think
that groups are neat.

Apart from not having to code support for groups, and that skip-
step provide an alternate means of optimization, what is the
reason not to provide such support? I am sure this has been
discussed somewhere, but please enlighten me.

Second, how do I delete a rule from the active ruleset?

Third, accounting, there seem to be no "count" keyword, I see
that packets are counted for each rule they match, if accounting
has been enabled for that interface.

The documentation states that when using state-full filtering
packets will still be counted for the rule that created the state
entry. So writing pass rules instead of count rules should suf-

I'd like to have the overall statistics and the host specific for
accounting purposes.


  block in on fxp0 from any to any
  pass  in on fxp0 from to any keep state
  pass  in quick on fxp0 from to any keep state

Count traffic from in both rules? (then I guess it
will also be counted in the previos block rule?) Or do I need to
script my way to overall statistics?

In the above example I would get the upload, but I am more inte-
rested in the download. (well in fact, I'd like both). Since I use
keep state,

  pass out on fxp0 from any to
  pass out quick on fxp0 from any to

would not be mathed. How do I get both up- and download?

Finally, from the documentation it appears that there is no such
thing as an active and an inactive ruleset?, pfctl cannot swap?


Erik Norgaard

GnuPG Key: http://www.locolomo.org/home/norgaard/norgaard.gpg.asc
pub  1024D/B02CC311 2004-04-05 Erik Norgaard <norgaard_(_at_)_locolomo_(_dot_)_org>
     Key fingerprint = 6C11 B9B1 52BD F16D 34AD  9893 D3EC E6DB B02C C311

Visit your host, monkey.org