tech-misc archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Flagging pf
On 11/20/2011 03:58 AM, Luke Mewburn wrote:
On Sat, Nov 19, 2011 at 12:02:54AM -0500, D'Arcy Cain wrote:
| Is there any reason that /etc/rc.d doesn't use the ${pf_flags} variable?
Probably not, although I don't see a default value for pf_flags
in etc/defaults/rc.conf. I'd recommend updating that in sync.
Good point. The default is "" so it works anyway but it's good for
documentation purposes.
What extra (pfctl) options were you considering to use ?
Basically I want to use a common pf.conf for all my systems that
includes the following lines:
# Exempt internal interfaces
pass quick on lo0
pass quick on $int_if
# Filtering: the implicit first two rules are
block in log on $ext_if
pass out all
pass in inet proto icmp all icmp-type echoreq modulate state
pass in proto udp from any port 123 to any
pass in quick on $ext_if from <FRIENDS> to any keep state
So my pf_flags would be "-Dext_if=bge0 -Dint_if=bge1" with different
values on each system.
(I see that rc.d ipfilter doesn't implement overrides either.)
Think I modify that as well? There is also npf but I think that that is
still under active development so I didn't want to touch it but it would
be nice if it worked too for ehen I switch.
By the way, the other thing missing in all of these is an include
facility. That would have been a nice to have too.
--
D'Arcy J.M. Cain <darcy%NetBSD.org@localhost>
http://www.NetBSD.org/
Home |
Main Index |
Thread Index |
Old Index