Re: pf n00b

2009-11-01 Thread ghe
On Nov 1, 2009, at 1:12 AM, Toma Bodar wrote: I don't know if you find one document about PF, but here it is http://home.nuug.no/~peter/pf/en/ same author wrote book about PF. Yup. That's one of the books I read -- but pf seems to have moved since then. Thanks for the link to this major

Re: pf n00b

2009-11-01 Thread ghe
On Oct 31, 2009, at 5:13 PM, Stuart Henderson wrote: no need for that, we have automatic skip steps, and a ruleset optimizer that re-orders where it makes sense. see the 3 articles on undeadly about pf for some fundamentals, starting here;

Re: pf n00b

2009-11-01 Thread ghe
On Oct 31, 2009, at 9:26 PM, Ryan McBride wrote: I can't speak for the books, and I KNOW google is full of lies, but can you point out specifically what parts of the website docs and man page talks about this? It should be removed. After going through the replies I've received, I'm thinking

Re: pf n00b

2009-11-01 Thread ghe
On Oct 31, 2009, at 3:33 PM, Vadim Zhukov wrote: Bad idea. pf is not iptables. Read FAQ for examples, and start from scratch using tricks from those examples, not from iptables. My biggest problem seems to have been total ignorance of the depth of the optimizer. I didn't see much in the way

Re: pf n00b

2009-11-01 Thread ghe
On Oct 31, 2009, at 5:13 PM, Stuart Henderson wrote: no need for that, we have automatic skip steps, and a ruleset optimizer that re-orders where it makes sense. Well, I'll be damned. The pf optimizer actually works! If I order the rules properly and put in enough info into them that pf can

Re: pf n00b

2009-11-01 Thread Jason Dixon
On Sun, Nov 01, 2009 at 01:16:10PM -0700, ghe wrote: On Oct 31, 2009, at 5:13 PM, Stuart Henderson wrote: no need for that, we have automatic skip steps, and a ruleset optimizer that re-orders where it makes sense. Well, I'll be damned. The pf optimizer actually works! If I order the

Re: pf n00b

2009-11-01 Thread Ted Unangst
On Sun, Nov 1, 2009 at 4:16 PM, ghe g...@slsware.com wrote: This does bring a question to my mind, though. Why is this ruleset optimization kept a secret? It's a *very* major piece of pf, IMHO. I did a significant amount of reading and looking around, and I never saw it discussed in any detail

Re: pf n00b

2009-11-01 Thread ghe
On Nov 1, 2009, at 3:08 PM, Ted Unangst wrote: The optimizer is documented in both the pfctl and pf.conf man pages, and the one for pf.conf tells you exactly what it does. In pfctl's man page (4.6), there is a statement that the kernel sometimes skips rules -- no mention of the optimizer

Re: pf n00b

2009-11-01 Thread Theo de Raadt
The earlier poster (Jason) is right: this *is* the way a firewall should work -- spend your time on implementing the security policy and let the 'compiler' worry about efficiency. But since the others don't, it might be a good idea to go into this at some length. Since it just does what

Re: pf n00b

2009-11-01 Thread ghe
On Nov 1, 2009, at 4:11 PM, Theo de Raadt wrote: Since it just does what a good system should do, what is there to go into at length about? What it does. How it does it. If that were documented, it'd sure be easier to use the tools more effectively. Yes, other systems taught you to

Re: pf n00b

2009-11-01 Thread Theo de Raadt
Since it just does what a good system should do, what is there to go into at length about? What it does. How it does it. If that were documented, it'd sure be easier to use the tools more effectively. It does what it does, how it does it, in the source code. Manual pages do not serve

pf n00b

2009-10-31 Thread ghe
I'm fresh off the boat from Debian. I love OpenBSD's attitude, and the documentation is even pretty decipherable, but I'm still a little confused by pf. I managed to build a trivial filter, but there are a few things I don't understand. I read somewhere (3 books, google, the website docs,

Re: pf n00b

2009-10-31 Thread Vadim Zhukov
On 1 November 2009 c. 00:00:41 ghe wrote: I'm fresh off the boat from Debian. I love OpenBSD's attitude, and the documentation is even pretty decipherable, but I'm still a little confused by pf. I managed to build a trivial filter, but there are a few things I don't understand. I read

Re: pf n00b

2009-10-31 Thread Stuart Henderson
On 2009-10-31, ghe g...@slsware.com wrote: pf.conf consists largely of anchors (to fork on protocol) and sub- anchors below them to fork on service -- I'm trying to reduce the count of rules seen by a packet to a minimum. But no need for that, we have automatic skip steps, and a ruleset

Re: pf n00b

2009-10-31 Thread Ryan McBride
On Sat, Oct 31, 2009 at 03:00:41PM -0600, ghe wrote: I'm fresh off the boat from Debian. I love OpenBSD's attitude, and the documentation is even pretty decipherable, but I'm still a little confused by pf. I managed to build a trivial filter, but there are a few things I don't understand. I