Re: How to make npf tables persist?

[tr%vispaul.me@localhost]

On 2016-07-27 18:16, Swift Griggs wrote:
> On Wed, 27 Jul 2016, tr%vispaul.me@localhost wrote:
> > That solves my immediate need but I still would be interested in 
> > knowing
> > how to save tables that have been altered through npfctl.
>
> When I've needed something like this in the past, I've usually just
> written an 'rc' script to save the rules before rebooting. You can also
> use a cronjob-based script that compares the running ruleset with the
> stored ruleset. When there is a delta, it saves the running ruleset.

I was thinking about using an rc script as well so I think that's
the approach I will use.

> I think what a lot of folks expect (since it's the norm with Linux) is
> that there is a fairly obtuse command line tool for the actual
> add/drop/modify operations a ruleset and a wrapper command that handles
> save/load/reload/stop operations for the filter-set globally as well as
> having some modes to "simplify" the rule syntax.

Most of my firewall configuration experience is with IPTables on Linux 
so
I indeed had some expectation that it would work this way.

> I personally don't consider that model optimal. I think the IP Filter 
> (and
> so PF, and NPF) have the right idea (beautiful and easy to read syntax 
> in
> a text file with solid binary tools for operational control) and the
> toolset is good. The only thing I'd add at this point would be
> modifications to the rc script that include some optional way to 
> preserve
> the rules akin to what you are asking about. Perhaps there is some
> existing mechanism and I just don't know about it.
>
> -Swift

I do like the syntax for npf much better than IPTables and syncing the 
rules
in an rc script isn't a huge deal.

Thanks for the advice!