[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problems with PF
Re: Problems with PF
Kimi Ostro <[email protected]>
William Ross <[email protected]>
Tue, 12 Apr 2005 02:45:15 +0100
"[email protected]" <[email protected]>
a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=asb+CkaghdDVx8O+EujEVh6tCmCO5Pl/TrmghOiFiiImesHWPcAVP+knNuTeMmWWnmS8C3MoFb+nUx/0OADaehMGqon0PkkwaLxZyy2meQ1biRHQMFB+0//Z7k+f5wKYIFBVYlEAOUZU8OSNsRlI45dXZ/LVtFYITwnsoxU1lFA=
On Apr 12, 2005 12:58 AM, William Ross <[email protected]> wrote:
> At 01:20 PM 4/11/2005, Kimi Ostro <[email protected]> wrote:
> >On Apr 11, 2005 1:04 PM, Abdul Rehman Gani <[email protected]>
> > > pass out quick on $ext_if from <jamiat> to any keep state queue jamiat_o
> > > #
> > >
> >Do you REALLY need all those quick keywords in there? to be quite
> >honest I am suprised if this ruleset worked as you intended.
> Also, if I may; pf is a lot less complicated (to me) than
> IPFilter, yet there is still a learning curve.
I've never used IPFilter, in fact pf is the first "true" firewall I
have used. Over the last 18 months or so it's been a love/hate
relationship, also trying to get in the mind set in how pf does its
thing, what/which direction this packet is going to/coming from
(diagrams really do help!).
The best thing is that, once you have pf figured, it is truly
marvelous and you have to tip your hat to the developers. My only
gripe being that considering how powerful/simple pf is, there haven't
really been any interesting pf rulesets (yes I have looked). Something
like a pf cookbook with rules that can put a clients web page request
at one priority, and another that is using http as a large file
transfer protocol to a lower priority via TOS. Maybe pf would need to
be on a different OSI layer to do that.
> to the rule set given by Adbul, the above rule is the last
> one. When I found out that a quick modifier on the last
> rule was redundant it became immediately obvious to me what
> "quick" does. Quick should be used strategically, and its not
> necessary in the last rule.
kinda funny how many times I've seen that quick had been overly abused
although I agree, strategically used in places like pass quick on lo0.
Sometimes wondered if they thought the packet would get there faster
> Adding my 2 cents hoping to help.
aren't we all, plus hoping to learn something new along the way..
PS. soz, for being a little OT.