On Wed, Feb 05, 2003 at 04:24:08PM +0100, Ed White wrote: > Hi, > > I've a quick question for PF developers: > > if PF checks ruleset everytime a packet pass through an interface this means > that for a classic gateway/bridge/firewall it will evaluate 2 times the > ruleset. One going in if1 and going out if 2, right ?
yes. though, state table match comes first. > So Daniel have created skip-steps that let you jump all (or a lot of) rules > related to other interfaces. yes, > But why don't you separate ruleset files ? why should you? > pf.conf (all global definitions) > pf.rl0 > pf.fxp0 > pf.dc0 > pf.dc1 > pf.tun0 > > So you'll be sure to evaluate interface related rules only. > > What about ? what about cat /etc/pf.* | pfctl -f - ? ;-) or, your master pf.conf just contains anchor dc0 on dc0 all anchor dc1 on dc1 all etc and you load the individual files into the anchors like that: pfctl -a dc0:rules -f /etc/pf.dc0 pfctl -a dc1:rules -f /etc/pf.dc1 so many options... (i'm tempted to add a quote: "This is Unix. Stop acting so helpless.") -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
