On Thu, 4 Apr 2019 19:51:14 +0000, Taylor R Campbell <[email protected]> wrote:
First, thanks for gathering all the things mentioned so far into a single posting. > There's also extended documentation, beyond the man pages, here: > > https://rmind.github.io/npf/ Then the following needs to be added to the "TODO" list: TODO: incorporate website documentation into local manual pages. If I need to access a web site to configure the firewall and need the firewall configured to access the web site, I'm stuck. > - ftp-proxy (Jan Danielsson) "Me too." > - pf netifN:0, netifN:network notation (John D. Baker) To be clear, the notation itself is immaterial, but the functionality it represents is what is needed. > - address subset selection (John D. Baker) This is more a generic statement about what pf's "netifN:0" does. For my current needs an eqivalent to "netifN:0" is sufficient, but I can imagine a case for an interface with more than two addresses of the same family in different networks and needing to select any subset of them. > - dynamic ifaddrs(netifN) (John D. Baker) The "ifaddrs(netifN)" function is what evaluates the addresses on the interface with each reference in a rule, or so the documentation makes it appear. Contrast with "inet4(netifN)" or "inet6(netifN)" that is only evaluated when the configuration file is loaded. "ifaddrs(netifN)" appears to be the equivalent of pf's "(netifN)", but always returns the full list of all addresses on an interface, so cannot be used in a NAT (map foo -> bar) statement. Hence the desire to select a subset or at least only the first address in the list, e.g., pf's "(netifN:0)" dynamic address evaluation with return of only first address. > - pf synproxy state (John D. Baker) Be sure such implementation can be used in a straightforward fashion on host firewalls protecting local services. With the current 'pf' in NetBSD, I have to have services listen on a dummy interface (I create "lo1") and redirect traffic to it for synproxy state to work. For services redirected (port forwarded) to an internal or DMZ host, it works as expected without any subterfuge. > - ipf migration path (manu) and likewise a pf migration path. > - altq (Thor Lancelot Simon) Yes, please. > - greylisting integration (MLH) This, too. I use 'spamd' with 'pf' and would like to keep such facility. I should be able to write a config file that can be copied to other systems and used either with no changes at all, or changing only those variables which name the network interfaces. E.g., swap out SPARC-based router for net4501. Copied "pf.rules" (my config file) from SPARC to Soekris box, change variables defining interfaces and away we go. -- |/"\ John D. Baker, KN5UKS NetBSD Darwin/MacOS X |\ / jdbaker[snail]consolidated[flyspeck]net OpenBSD FreeBSD | X No HTML/proprietary data in email. BSD just sits there and works! |/ \ GPGkeyID: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645
