[problems with ipf and stateful nfs traffic]

At 8:32 Uhr -0700 7.5.2007, Brian Buhrow wrote:
>Is switching to pf, as opposed to ipf, an option?

I thought about that a while back. As it is, I came across three major
obstacles, two of technical nature, and one of... well, social nature.

The technical issues are that (a) pf keeps state per-interface (or so I
understand), whereas ipf state is machine-global. The machine in question
routes to eight subnets, and pf would considerably increase the number of
stateful rules per interface. You could probably work around that by
extensive use of macros, but I find that inflates the namespace and rather
obscures the rule base. And (b), my current ruleset relies heavily on
(per-interface) groups, for structuring the ruleset more than performance,
and pf does not support groups.

The social issue is that I seem to be emotionally incompatible with what
appears to be normal tone towards people asking questions on openbsd lists.

The more I think of it, the more sense it makes to set up a test
environment, both to reproduce the problems I see outside a production
environment, and to try out various software.

	hauke

--
"It's never straight up and down"     (DEVO)