Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: How to make npf tables persist?
On 2016-07-27 18:16, Swift Griggs wrote:
On Wed, 27 Jul 2016, tr%vispaul.me@localhost wrote:
That solves my immediate need but I still would be interested in
knowing
how to save tables that have been altered through npfctl.
When I've needed something like this in the past, I've usually just
written an 'rc' script to save the rules before rebooting. You can also
use a cronjob-based script that compares the running ruleset with the
stored ruleset. When there is a delta, it saves the running ruleset.
I was thinking about using an rc script as well so I think that's
the approach I will use.
I think what a lot of folks expect (since it's the norm with Linux) is
that there is a fairly obtuse command line tool for the actual
add/drop/modify operations a ruleset and a wrapper command that handles
save/load/reload/stop operations for the filter-set globally as well as
having some modes to "simplify" the rule syntax.
Most of my firewall configuration experience is with IPTables on Linux
so
I indeed had some expectation that it would work this way.
I personally don't consider that model optimal. I think the IP Filter
(and
so PF, and NPF) have the right idea (beautiful and easy to read syntax
in
a text file with solid binary tools for operational control) and the
toolset is good. The only thing I'd add at this point would be
modifications to the rc script that include some optional way to
preserve
the rules akin to what you are asking about. Perhaps there is some
existing mechanism and I just don't know about it.
-Swift
I do like the syntax for npf much better than IPTables and syncing the
rules
in an rc script isn't a huge deal.
Thanks for the advice!
Home |
Main Index |
Thread Index |
Old Index