[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf-newbie Q: Migrating from ip-filter to pf



Groups are an awful kludge - blocks of rules which blow away the
top-down order of therulebase because the parser is too dumb.

I specifically suggested to daniel that PF should auto-optimise so
that the value of groups for optimisation was dubious.

You need groups like a hole in the head, it's like asking why OpenBSD
doesn't have a GUI-based FSCK, like "scandisk".....
It's not about "support" it's that "groups are a dumb kludge"

Support? PF Optimises the rules *FOR YOU*.

Think about it a minute - you could write a pre-parser for IPF to
take a rule file and generate one with head/groups so that IPF
doesn't check the first 99 rules which are TCP against a UDP packet.  

Of you could have a sensible match function in your packet filter
that can say "oh, it's UDP, the first UDP rule is #67, best jump
right to that one".

Deleting a rule? Err, I'd just reload your ruleset.
If you think that's overkill, how do you swap two rules round in IPF ?

Dunno about PF accounting, do further that upstream :-)

Active and inactive rulesets? Does any other packet filter have this?
What's wrong with just loading the rules file you want?
If you're going to start having in kernel "backups" of the rules,
why stop at one copy, why not be able to say "go back to the copy of
the rules held in kernel memory from 3 weeks ago".
Because it's dumb. I can't think of a single reason why active/inactive
rulesets would be "better" that two "files".  Maybe, just maybe,
if you're switching rulebases every few seconds? beats me.

Sorry to rant, but I've used so many different filters  & proxies
over the years, that you kinda hit a nerve by asking about all
of IPFs biggest kludges and dumb ""features"".

It's kinda like a post saying:
"My old Model-T had metal bumpers which made it easy to reverse-park,
as I could just listen for the "crunch".  But this new BMW has plastic
bumpers, a quiet cabin and a noisy "rear parking sensor" thing which
makes it's almost impossible to hear the "crunch" anymore...."

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom_(_at_)_devitto_(_dot_)_com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Where do you want to go today?  Same as every day.... Windows Update.

-----Original Message-----
From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org] On Behalf Of
Erik Norgaard
Sent: Saturday, April 17, 2004 8:50 PM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: pf-newbie Q: Migrating from ip-filter to pf

Hi,

OK, first, I still use ip-filter, I have never tried to use packet- filter,
so you may consider me a pf-newbie :-) If you don't like newbies I'm
perfectly ok with that, just delete the mail :-)

I have read pf-howto and pfctl(8) and pf.conf(5) but still please excuse me
if I have some previously discussed questions. If so, please refer me to the
appropriate source - thanks.

First, I must admit that coming from ip-filter I first look at what is and
what is not supported.

The first thing I discovered is that pf does not support groups. I may just
need a brain-patch :-), but I really think that groups are neat.

Apart from not having to code support for groups, and that skip- step
provide an alternate means of optimization, what is the reason not to
provide such support? I am sure this has been discussed somewhere, but
please enlighten me.

Second, how do I delete a rule from the active ruleset?

Third, accounting, there seem to be no "count" keyword, I see that packets
are counted for each rule they match, if accounting has been enabled for
that interface.

The documentation states that when using state-full filtering packets will
still be counted for the rule that created the state entry. So writing pass
rules instead of count rules should suf- fice.

I'd like to have the overall statistics and the host specific for accounting
purposes.

Will

  block in on fxp0 from any to any
  pass  in on fxp0 from 172.16.0.0/16 to any keep state
  pass  in quick on fxp0 from 172.16.1.1/32 to any keep state

Count traffic from 172.16.1.1 in both rules? (then I guess it will also be
counted in the previos block rule?) Or do I need to script my way to overall
statistics?

In the above example I would get the upload, but I am more inte- rested in
the download. (well in fact, I'd like both). Since I use keep state,

  pass out on fxp0 from any to 172.16.0.0/16
  pass out quick on fxp0 from any to 172.16.1.1/32

would not be mathed. How do I get both up- and download?

Finally, from the documentation it appears that there is no such thing as an
active and an inactive ruleset?, pfctl cannot swap?

Thanks,

Erik Norgaard

GnuPG Key: http://www.locolomo.org/home/norgaard/norgaard.gpg.asc
pub  1024D/B02CC311 2004-04-05 Erik Norgaard <norgaard_(_at_)_locolomo_(_dot_)_org>
     Key fingerprint = 6C11 B9B1 52BD F16D 34AD  9893 D3EC E6DB B02C C311