NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD + npf for main Internet-facing firewall?



Much as I'd like to migrate to npf, it still lacks features critical to
my internet connection.

Multihomed interfaces, particularly where one or more addresses are
dynamic, are an all-or-nothing proposition.  To track dynamic adresses,
one must apply the same rules to ALL addresses, not different rules for
different addresses/networks.

In my case, my external interface has a private address to communicate
with the ADSL modem's status/config interface AND a dynamic address assigned
by my ISP via DHCP.  I need to track the dynamic address, but the two
addresses/networks require different rule sets.

I still require a properly proxied FTP capability.  I don't recall if
npf has grown this since it was last discussed years ago.

So, 'pf' meets my needs, but 'npf' does not (yet--there was some discussion
about syntax for filtering the address list returned for dynamic tracking,
but I have not seen any commits claiming to implement this).

-- 
|/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net  OpenBSD            FreeBSD
| X  No HTML/proprietary data in email.   BSD just sits there and works!
|/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645


Home | Main Index | Thread Index | Old Index