Re: Flagging pf

[D'Arcy Cain <darcy%NetBSD.org@localhost>]

On 11/20/2011 03:58 AM, Luke Mewburn wrote:
> On Sat, Nov 19, 2011 at 12:02:54AM -0500, D'Arcy Cain wrote:
>    | Is there any reason that /etc/rc.d doesn't use the ${pf_flags} variable?
>
> Probably not, although I don't see a default value for pf_flags
> in etc/defaults/rc.conf.  I'd recommend updating that in sync.

Good point.  The default is "" so it works anyway but it's good for 
documentation purposes.

> What extra (pfctl) options were you considering to use ?

Basically I want to use a common pf.conf for all my systems that 
includes the following lines:

# Exempt internal interfaces
pass quick on lo0
pass quick on $int_if

# Filtering: the implicit first two rules are
block in log on $ext_if
pass out all

pass in inet proto icmp all icmp-type echoreq modulate state
pass in proto udp from any port 123 to any
pass in quick on $ext_if from <FRIENDS> to any keep state

So my pf_flags would be "-Dext_if=bge0 -Dint_if=bge1" with different 
values on each system.

> (I see that rc.d ipfilter doesn't implement overrides either.)

Think I modify that as well?  There is also npf but I think that that is 
still under active development so I didn't want to touch it but it would 
be nice if it worked too for ehen I switch.

By the way, the other thing missing in all of these is an include 
facility.  That would have been a nice to have too.

--
D'Arcy J.M. Cain <darcy%NetBSD.org@localhost>
http://www.NetBSD.org/