On Mon, 17 Mar 2008, Stuart Henderson wrote: >On 2008-03-17, Dave Anderson <[EMAIL PROTECTED]> wrote: >> I've been working on the pf configuration for my home firewall, >> including setting up ftp-proxy. I've noticed that the command is >> getting cluttered with options to adjust the rules it creates to the >> needs of different pf configurations. > >it would be better to turn this on its head, and handle these in >the anchor definition in pf.conf (i.e. define options which should >be applied to all rules under that anchor: log, tag, queue, label, >rtable, blah blah blah).
Upon consideration, I at least partially agree with you (and note that 4.3 is moving in this direction) -- but some things can't be applied to all of the rules in the anchor. I haven't thought it through carefully enough to know whether this is a significant issue but, as a minor example, I like to specify the interface in each rule (possibly overkill for these particular rules, but I'd expect it to at least reduce the total number of rule comparisons) and that will certainly differ from rule to rule (since I have both a DMZ and an internal network). >doing this in ftp-proxy(/tftp-proxy/ftpsesame/pptp-proxy/wherever >else you might want it) would be an inefficient way of handling this >and annoying to keep eveything in-sync. Is this really a problem in practice? I'd think it likely that, since all of these are parsing text into a structure suitable for using in an ioctl on the pf device, they could all use a common procedure to perform that action. (I haven't examined the code, so there could be something which prevents this; if you have examined it and know that there is such a problem, I'll defer to your greater knowledge.) Dave