Namaste Peter, Tusen takk for your reply.
> Sent: Saturday, December 19, 2020 at 3:32 PM > From: "Peter Nicolai Mathias Hansteen" <pe...@bsdly.net> > To: "misc" <misc@openbsd.org> > Subject: Re: pf.conf parser/lint > > > > > 19. des. 2020 kl. 14:50 skrev Aham Brahmasmi <aham.brahma...@gmx.com>: > >>> > >> > >> Always put your interfaces into groups. Identify based upon the groups. > > > > In case there are more such simple rules of thumb, could you please > > share them? > > I think that piece of advice is one of the more important ones you’re likely > to get. > > Adding to that, in my experience, the important thing is to make your > configurations as simple as possible but not simpler :) > > I would like to stress using pf.conf readability features as helpers to > keeping your config maintainable, so > > * use service names when feasible instead of port numbers, > * use tables for groups of IP addresses > * use macros where they do help readability > * write rules that specify only what would be deviation from the default (the > defaults are, in general sane) > * before actually loading a changed config, run pfctl -vnf /etc/pf.conf to se > what *actually* loads > > That last one will among other things show you the result of the ruleset > optimizer’s work, so when you see obviously generated table names, you likely > have a set of rules that differ only in their source or destination address. > That is a surprisingly frequent phenomenon, and for some reason more people > than you would think are unaware that you can initialize a table or even load > new content into one from a separate file. All of the above are good simple rules of thumb. For the defaults, I try to explicitly write some of them sometimes. I find this helpful because it is difficult for me to remember what the defaults are. However, I do understand that I run the risk of being caught unawares if the defaults are changed for some good reason. Trade-offs :) > If you haven’t already, you might glean a few useful bits from going through > the PF tutorial slides at https://home.nuug.no/~peter/pftutorial/ > <https://home.nuug.no/~peter/pftutorial/> and links therein. I have, and tusen takk once again for the slides, tutorials and talks. > All the best, > Peter Additionally, I encountered some more such useful rules of thumb from Stuart's reply[0] on another thread, which co-incidentally also mentions interface groups. " ...Tagging...received-on...interface groups...priority or queues or flow queues... " Dhanyavaad, ab [0] - https://marc.info/?l=openbsd-misc&m=160068271606631&w=2 ---------|---------|---------|---------|---------|---------|---------|--
