Subject: Re: pf status
To: John Nemeth <>
From: Pavel Cahyna <>
List: current-users
Date: 07/29/2005 12:42:21
On Fri, 29 Jul 2005 02:58:15 -0700, John Nemeth wrote:

>      I think I have commented on this before.  However, what I would
> like to see is something akin to the way Cisco's IOS works.  Under IOS,
> you define an access-list then you assign it to various places.  I.e.


>      I think integrating pf and ALTQ is vary much the wrong thing to
> do.  This would make ALTQ only usable with pf.  Using the above idea,
> we seperate packet classification from treatment.  This would allow any

I like your idea, but the integration with firewalls sounds like a much
easier task. (Or have you already started implementing your idea?)

> packet classification engine (i.e. pf, ipfilter) to be used with any

pf and ipf aren't just packet classification engines, they do more -
reject the packets, modify them or send ICMP error messages. How they
could be used as classification engines? It seems that the easiest way is
to let them tag the packets as an addition to logging them, blocking them
and other actions, and then let ALTQ use those tags. But isn't that
exactly what pf/ALTQ integration does?

> packet treatment.  Giving flexibility like this seems to me to be the
> right way to go and to me would be the NetBSD way to do it.

It seems that integration of ALTQ with any firewall is easier that you
think. See the message by Miles Nordin on this subject to port-sparc64
mailing list (Message-Id: <oq64uyqtmc.fsf@castrovalva.Ivy.NET>).

Bye	Pavel