Re: Removing PF

To: tech-kern%NetBSD.org@localhost
Subject: Re: Removing PF
From: "John D. Baker" <jdbaker%consolidated.net@localhost>
Date: Thu, 4 Apr 2019 16:56:10 -0500 (CDT)

On Thu, 4 Apr 2019 19:51:14 +0000, Taylor R Campbell <riastradh%NetBSD.org@localhost>
wrote:

First, thanks for gathering all the things mentioned so far into a single
posting.

> There's also extended documentation, beyond the man pages, here:
> 
> https://rmind.github.io/npf/

Then the following needs to be added to the "TODO" list:

  TODO:  incorporate website documentation into local manual pages.

If I need to access a web site to configure the firewall and need the
firewall configured to access the web site, I'm stuck.

> - ftp-proxy (Jan Danielsson)

"Me too."

> - pf netifN:0, netifN:network notation (John D. Baker)

To be clear, the notation itself is immaterial, but the functionality
it represents is what is needed.

> - address subset selection (John D. Baker)

This is more a generic statement about what pf's "netifN:0" does.  For
my current needs an eqivalent to "netifN:0" is sufficient, but I can
imagine a case for an interface with more than two addresses of the same
family in different networks and needing to select any subset of them.

> - dynamic ifaddrs(netifN) (John D. Baker)

The "ifaddrs(netifN)" function is what evaluates the addresses on the
interface with each reference in a rule, or so the documentation makes
it appear.  Contrast with "inet4(netifN)" or "inet6(netifN)" that is
only evaluated when the configuration file is loaded.  "ifaddrs(netifN)"
appears to be the equivalent of pf's "(netifN)", but always returns the
full list of all addresses on an interface, so cannot be used in a NAT
(map foo -> bar) statement.  Hence the desire to select a subset or at
least only the first address in the list, e.g., pf's "(netifN:0)" dynamic
address evaluation with return of only first address.

> - pf synproxy state (John D. Baker)

Be sure such implementation can be used in a straightforward fashion
on host firewalls protecting local services.  With the current 'pf'
in NetBSD, I have to have services listen on a dummy interface (I create
"lo1") and redirect traffic to it for synproxy state to work.

For services redirected (port forwarded) to an internal or DMZ host,
it works as expected without any subterfuge.

> - ipf migration path (manu)

and likewise a pf migration path.

> - altq (Thor Lancelot Simon)

Yes, please.

> - greylisting integration (MLH)

This, too.  I use 'spamd' with 'pf' and would like to keep such
facility.

I should be able to write a config file that can be copied to other
systems and used either with no changes at all, or changing only those
variables which name the network interfaces.  E.g., swap out SPARC-based
router for net4501.  Copied "pf.rules" (my config file) from SPARC to
Soekris box, change variables defining interfaces and away we go.

-- 
|/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net  OpenBSD            FreeBSD
| X  No HTML/proprietary data in email.   BSD just sits there and works!
|/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645

Follow-Ups:
- Re: Removing PF
  - From: Mindaugas Rasiukevicius

References:
- Re: Removing PF
  - From: John D. Baker
- Re: Removing PF
  - From: John D. Baker

Prev by Date: Re: Removing PF
Next by Date: Re: Removing PF
Previous by Thread: Re: Removing PF
Next by Thread: Re: Removing PF
Indexes:

Home | Main Index | Thread Index | Old Index