On Mon, 17 Mar 2008, Stuart Henderson wrote:
>On 2008-03-17, Dave Anderson <[EMAIL PROTECTED]> wrote:
>> I've been working on the pf configuration for my home firewall,
>> including setting up ftp-proxy. I've noticed that the command is
>> getting cluttered with options to adjust the rules it creates to the
>> needs of different pf configurations.
>
>it would be better to turn this on its head, and handle these in
>the anchor definition in pf.conf (i.e. define options which should
>be applied to all rules under that anchor: log, tag, queue, label,
>rtable, blah blah blah).
Upon consideration, I at least partially agree with you (and note that
4.3 is moving in this direction) -- but some things can't be applied to
all of the rules in the anchor. I haven't thought it through carefully
enough to know whether this is a significant issue but, as a minor
example, I like to specify the interface in each rule (possibly overkill
for these particular rules, but I'd expect it to at least reduce the
total number of rule comparisons) and that will certainly differ from
rule to rule (since I have both a DMZ and an internal network).
>doing this in ftp-proxy(/tftp-proxy/ftpsesame/pptp-proxy/wherever
>else you might want it) would be an inefficient way of handling this
>and annoying to keep eveything in-sync.
Is this really a problem in practice? I'd think it likely that, since
all of these are parsing text into a structure suitable for using in an
ioctl on the pf device, they could all use a common procedure to perform
that action. (I haven't examined the code, so there could be something
which prevents this; if you have examined it and know that there is such
a problem, I'll defer to your greater knowledge.)
Dave
