Re: pf and rpi

To: Christian Koch <cfkoch%sdf.lonestar.org@localhost>
Subject: Re: pf and rpi
From: Zoran Kolic <zkolic%sbb.rs@localhost>
Date: Fri, 3 Oct 2014 16:25:58 +0200

> Seriously, why aren't you using NPF? NPF is the packet filter that is actually
> being developed on and for NetBSD.

I'm not familiar with it.
On freebsd I use ipfw, with rules that first one wins.
On pf I know that the last one wins. Cannot be so sure
reading npf howto. My bet is that the last wins too.

I made a little investigation and seems that I could
change from pf to npf. The pf rules:

set skip on lo
block in all
block out all
pass out on usmsc0 proto { tcp, udp, icmp } from any to any modulate state
pass in on usmsc0 proto tcp from any to any port ssh

My version of /etc/npf.conf sounds like this:

group "eth" on usmsc0 {
	block all
	pass stateful out final all
	pass stateful in final proto tcp to usmsc0 port ssh
}
group default {
	pass final on lo0 all
	block all
}

So far, I'm confused about having to drop secure level to
-1 to load module for pf or npf. Gonna try that as my very
next step.

Thanks all for help and best regards

                                Zoran

Follow-Ups:
- Re: pf and rpi
  - From: Rhialto

References:
- pf and rpi
  - From: Zoran Kolic
- Re: pf and rpi
  - From: uhel
- Re: pf and rpi
  - From: Zoran Kolic
- Re: pf and rpi
  - From: Christian Koch

Prev by Date: Re: pf and rpi
Next by Date: Announcing the pkgsrc-2014Q3 Release
Previous by Thread: Re: pf and rpi
Next by Thread: Re: pf and rpi
Indexes:

Home | Main Index | Thread Index | Old Index