[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

First time user comments

The very broad: I don't understand why there is separate configuration
files for bridges and routing and packet filtering.
Now for the picky ones.
Could the "syntax error" message, give the position in the line that the
error occurred, or at least the token that caused it. When you are a
first time user you syntax errors are not obvious.
I could find no where in the documentation that says what happens when
you omit the "on <interface>" clause. The documentation implies that it
must always be given, and grammar in "man pf.conf" shows it as being
required, but several examples don't supply one. I believe that not
supplying a "on <interface>" means the statement applies to all
What needs to be quoted in a macro is not documented. One of my first
mistakes was to write
	Internal_net = 192.168.200/24
I could not find any documentation that said it had to be written as
      Internal_net = "192.168.200/24"
with quotes. I also tried 
  	DebugLog = log
and got a similar error.
I have several (actually three) segments, each of which have their own
set of IP address. I wanted each segment to be only allowed to send in
from IP addresses belonging to the segment, (and for good message stop
firewall from putting out packets onto a segment that they did not
belong on). I expected an option on the antispoof directive to implement
this effect, but it was not there so I wrote:
	InternalInterfaces = "{" ste1 ste2 ste3 "}"
	block in  quick on $InternalInterfaces from !$id:network
	block out quick on $InternalInterfaces to   !$id:network      
and was surprised to get "macro id is not defined". I believe the $id is
only defined in certain contexts. Now I can get the same effect by
writing the six statements which is what I did, but I was surprised.
I would be nice to have a mechanism for a delayed and/or retried DNS
queries. I don't like putting raw IP addresses into configuration files,
but if I put the DNS names in the files, and DNS is unavailable the
configuration file fails.  I know I can use pfctl and load them
afterwards, but every time the configuration get spread out across many
places it is harder to keep track of. 
What I would like is to be able to prefix a DNS address with a character
to mark its treatment. Such at
The "+" would mean that the name must be resolved a load time
The '-' would mean that the name until it can be resolved would be
treated like "any" and an unmarked name would be treated as nonexistent
IP address until it can be resolved. That way pf would still startup if
DNS is unavailable and adjust it self automatically as DNS becomes
The choice of "www.openbsd.org" used in the example was not by accident.
I didn't want my firewall creating any traffic on the external network,
but for "spamd", I need to access "www.openbsd.org" and my DNS servers
are inside my network and can't get out until the firewall is up.  I
think the implementation would be simple. If there was a name lookup
failure, set a timer, and have pf reload its configuration file, repeat
until successful.
It would be nice if there was a predefined macro for the unrouteable
It would be nice if there is only one interface type on the computer to
define a macro automatically for them, I suggest $id0 $id1 etc. That way
pf config files could be more portable, particularly in the case of a
server machine that only has one interface.
I could not find a documentation on the output of tcpdump for pf. For
example tcpdump give a rule number as "rule 68/0(match)" eventually I
figured out that that the first number was the n'th rule as output by
"pfctl -s rules". I have no idea what the "/0" is for. The value of the
flags field also have values in that I can not find documentation for.
"pfctl -s rules" should number it rules.
Thanks for the good product