On Nov 1, 2009, at 1:12 AM, Toma Bodar wrote:
I don't know if you find one document about PF, but here it is
http://home.nuug.no/~peter/pf/en/ same author wrote book about PF.
Yup. That's one of the books I read -- but pf seems to have moved
since then. Thanks for the link to this major
On Oct 31, 2009, at 5:13 PM, Stuart Henderson wrote:
no need for that, we have automatic skip steps, and a ruleset
optimizer that re-orders where it makes sense.
see the 3 articles on undeadly about pf for some fundamentals,
starting here;
On Oct 31, 2009, at 9:26 PM, Ryan McBride wrote:
I can't speak for the books, and I KNOW google is full of lies, but
can
you point out specifically what parts of the website docs and man page
talks about this? It should be removed.
After going through the replies I've received, I'm thinking
On Oct 31, 2009, at 3:33 PM, Vadim Zhukov wrote:
Bad idea. pf is not iptables. Read FAQ for examples, and start from
scratch using tricks from those examples, not from iptables.
My biggest problem seems to have been total ignorance of the depth of
the optimizer. I didn't see much in the way
On Oct 31, 2009, at 5:13 PM, Stuart Henderson wrote:
no need for that, we have automatic skip steps, and a ruleset
optimizer that re-orders where it makes sense.
Well, I'll be damned. The pf optimizer actually works! If I order the
rules properly and put in enough info into them that pf can
On Sun, Nov 01, 2009 at 01:16:10PM -0700, ghe wrote:
On Oct 31, 2009, at 5:13 PM, Stuart Henderson wrote:
no need for that, we have automatic skip steps, and a ruleset
optimizer that re-orders where it makes sense.
Well, I'll be damned. The pf optimizer actually works! If I order the
On Sun, Nov 1, 2009 at 4:16 PM, ghe g...@slsware.com wrote:
This does bring a question to my mind, though. Why is this ruleset
optimization kept a secret? It's a *very* major piece of pf, IMHO. I did a
significant amount of reading and looking around, and I never saw it
discussed in any detail
On Nov 1, 2009, at 3:08 PM, Ted Unangst wrote:
The optimizer is documented in both the pfctl and pf.conf man pages,
and the one for pf.conf tells you exactly what it does.
In pfctl's man page (4.6), there is a statement that the kernel
sometimes skips rules -- no mention of the optimizer
The earlier poster (Jason) is right: this *is* the way a firewall
should work -- spend your time on implementing the security policy and
let the 'compiler' worry about efficiency. But since the others don't,
it might be a good idea to go into this at some length.
Since it just does what
On Nov 1, 2009, at 4:11 PM, Theo de Raadt wrote:
Since it just does what a good system should do, what is there to go
into at length about?
What it does. How it does it. If that were documented, it'd sure be
easier to use the tools more effectively.
Yes, other systems taught you to
Since it just does what a good system should do, what is there to go
into at length about?
What it does. How it does it. If that were documented, it'd sure be
easier to use the tools more effectively.
It does what it does, how it does it, in the source code. Manual pages
do not serve
I'm fresh off the boat from Debian. I love OpenBSD's attitude, and the
documentation is even pretty decipherable, but I'm still a little
confused by pf. I managed to build a trivial filter, but there are a
few things I don't understand.
I read somewhere (3 books, google, the website docs,
On 1 November 2009 c. 00:00:41 ghe wrote:
I'm fresh off the boat from Debian. I love OpenBSD's attitude, and the
documentation is even pretty decipherable, but I'm still a little
confused by pf. I managed to build a trivial filter, but there are a
few things I don't understand.
I read
On 2009-10-31, ghe g...@slsware.com wrote:
pf.conf consists largely of anchors (to fork on protocol) and sub-
anchors below them to fork on service -- I'm trying to reduce the
count of rules seen by a packet to a minimum. But
no need for that, we have automatic skip steps, and a ruleset
On Sat, Oct 31, 2009 at 03:00:41PM -0600, ghe wrote:
I'm fresh off the boat from Debian. I love OpenBSD's attitude, and
the documentation is even pretty decipherable, but I'm still a
little confused by pf. I managed to build a trivial filter, but
there are a few things I don't understand.
I
15 matches
Mail list logo