Re: Packet Filtering

On Feb 13, 10:28am, Robert Swindells wrote:
} John Nemeth wrote:
} >On Feb 13,  3:22am, Robert Swindells wrote:
} >} 
} >} What is the recommended way of doing packet filtering in
} >} NetBSD-current ?
} >
} >     -current as of what date, and what version?  And, are both
} >userland and the kernel from the same date?
} I am running -current as of this afternoon now, kernel and userland
} match. I was running a version from the same time yesterday when
} I wrote the first email.

     Okay.  That was kind of an important detail that was left out.

} >} I have tried IPF, PF and NPF, and can't get any of them to work
} >} properly.
} >
} >     PF seems to be essentially unmaintained and is getting a little
} >long in the tooth.  IPF recently had a major update.  NPF is, of
} >course, new.
} I know, I was asking for suggestions on what was working for other
} people.

     I have been using IPF and will probably stick to it for now.  Just
how well that works out is something I intend to find out in the not
too distant future.

} I have switched back to IPF.
} It would still be nice to be able to prevent access to ports from outside.

     Any of the packet filters should be able to do this quite easily.

} >} NPF generates a core dump if I run "npfctl show" and locks up
} >} completely afterwards.
} >
} >     I remember seeing a bug report about this.  You might just need to
} >update your system to get it fixed.
} The core dump problem has been fixed by rmind today.
} I guess part of my point was that we have just released NetBSD-6.0,
} are people who install it or upgrade to it from NetBSD-5 going to have
} similar problems to me ?

     -current is not the same as 6.0.  There have been changes to both
in -current that aren't in 6.0.  Hopefully what is in 6.0 is stable and

} IPF seems reliable but the syntax of the configuration file is, to me,
} a lot harder to use than those of PF and NPF. The examples for IPF
} have also not been updated for 5.1.1.

     I don't think there were any changes in IPF for 5.1.1.  Due to
problems with the author's employer, IPF didn't change for quite some
time.  Now that the author no longer has the same employer there has
been a flurry of activity.  IPF has had a major update for 6.0.  I
don't know if those will get pulled up to netbsd-5 or not.

}-- End of excerpt from Robert Swindells

