Re: pf n00b

2009-11-01 Thread ghe
On Nov 1, 2009, at 1:12 AM, Toma Bodar wrote: I don't know if you find one document about PF, but here it is http://home.nuug.no/~peter/pf/en/ same author wrote book about PF. Yup. That's one of the books I read -- but pf seems to have moved since then. Thanks for the link to this major

Re: pf n00b

2009-11-01 Thread ghe
On Oct 31, 2009, at 5:13 PM, Stuart Henderson wrote: no need for that, we have automatic skip steps, and a ruleset optimizer that re-orders where it makes sense. see the 3 articles on undeadly about pf for some fundamentals, starting here;

Re: pf n00b

2009-11-01 Thread ghe
On Oct 31, 2009, at 9:26 PM, Ryan McBride wrote: I can't speak for the books, and I KNOW google is full of lies, but can you point out specifically what parts of the website docs and man page talks about this? It should be removed. After going through the replies I've received, I'm thinking

Re: pf n00b

2009-11-01 Thread ghe
On Oct 31, 2009, at 3:33 PM, Vadim Zhukov wrote: Bad idea. pf is not iptables. Read FAQ for examples, and start from scratch using tricks from those examples, not from iptables. My biggest problem seems to have been total ignorance of the depth of the optimizer. I didn't see much in the way

Re: pf n00b

2009-11-01 Thread ghe
On Oct 31, 2009, at 5:13 PM, Stuart Henderson wrote: no need for that, we have automatic skip steps, and a ruleset optimizer that re-orders where it makes sense. Well, I'll be damned. The pf optimizer actually works! If I order the rules properly and put in enough info into them that pf can

Re: pf n00b

2009-11-01 Thread ghe
On Nov 1, 2009, at 3:08 PM, Ted Unangst wrote: The optimizer is documented in both the pfctl and pf.conf man pages, and the one for pf.conf tells you exactly what it does. In pfctl's man page (4.6), there is a statement that the kernel sometimes skips rules -- no mention of the optimizer

Re: pf n00b

2009-11-01 Thread ghe
On Nov 1, 2009, at 4:11 PM, Theo de Raadt wrote: Since it just does what a good system should do, what is there to go into at length about? What it does. How it does it. If that were documented, it'd sure be easier to use the tools more effectively. Yes, other systems taught you to

pf n00b

2009-10-31 Thread ghe
I'm fresh off the boat from Debian. I love OpenBSD's attitude, and the documentation is even pretty decipherable, but I'm still a little confused by pf. I managed to build a trivial filter, but there are a few things I don't understand. I read somewhere (3 books, google, the website docs,