[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Things pf can't do?

I'm new to pf, so I'd appreciate a sanity-check.  I've searched through
the docs and the mailing list archives but not found anything that
clarifies this.  (I found one similar question, but it never got an
There seem to be some things one might reasonably want to do which are
not practical with pf; in particular, I (being paranoid) would like to
drop any incoming packets which have the loopback address as their
destination address -- but I also need to redirect some incoming packets
to the loopback address (e.g., for spamd and ftp-proxy).  Since only the
translated addresses are available to the filter rules, the only way to
do this appears to be to use the 'pass' option on the redirection rules
-- but this means that all of the other sanity-checking I do in the
filter rules must also be squeezed into each redirection rule (which not
only is awkward but probably isn't possible, since they're most likely
too complex to express that way).
If my analysis is correct, are there any plans for dealing with issues
of this sort?  I suppose that the obvious solution would be to add the
untranslated destination address and port to the information available
to the filter rules.  [I do realize that anything like this would
probably be a relatively low-value feature and that it could slow down a
time-critical code path, and therefor might not be worth doing.]
Dave Anderson
<[email protected]>