Re: npf vs. pf

To: darcy%netbsd.org@localhost
Subject: Re: npf vs. pf
From: Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost>
Date: Wed, 10 Dec 2014 14:49:56 +0100

Le 10/12/2014 06:15, D'Arcy J.M. Cain a écrit :

I have been having issues with pf.  See "pf add not working" in
netbsd-users for details.  Basically I have created a persistent table
and dynamically add and delete to/from it based on my intrusion
system.  Everything seems to work but even with IPs in the table as
shown by pfctl it seems that people still get through.  Something weird
is going on.  I wonder if it is pf itself.

I asked if npf would have a good shot at fixing this issue but no one
has replied to that question.  Anyone here have any thoughts on that?


npfctl(8) can definitly do that -- see "npfctl table"

http://www.netbsd.org/~rmind/npf/

Is npf stable enough to consider replacing pf on a production server?

Thanks.

Best way to confirm this is to give it a go. Depending on the featuresyou are using it can be a drop-in replacement or require tweaking toreach the same functionality.

I got it running @home and it works fine, but my setup is prettystandard (stateful filtering and binat).


BTW rmind@ does a wonderful job at supporting it.

--
Jean-Yves Migeon

Follow-Ups:
- Re: npf vs. pf
  - From: D'Arcy J.M. Cain

References:
- npf vs. pf
  - From: D'Arcy J.M. Cain

Prev by Date: npf vs. pf
Next by Date: Re: struct ifnet and ifaddr handling [was: Re: Making global variables of if.c MPSAFE]
Previous by Thread: npf vs. pf
Next by Thread: Re: npf vs. pf
Indexes:

Home | Main Index | Thread Index | Old Index