PF?
Jeremy C. Reed
reed at reedmedia.net
Tue Jan 10 17:46:16 PST 2006
Sorry no In-Reply-To: header. I am following up via mail archive. Please
CC me on replies.
On Wed, 4 Jan 2006 at 09:16:10 +0100, joerg wrote:
> On Tue, Jan 03, 2006 at 11:02:32PM -0800, Jeremy C. Reed wrote:
>> Anyone using PF on DragonFly?
>>
>> I see it was imported in Sept. 21, 2004 and is in DragonFly 1.2 and 1.4. I
>> guess this is the same as OpenBSD's pf 3.5 (I only checked to see if had
>> bad-timestamp and didn't see it).
>
> It should be mostly OpenBSD 3.6, but there are some minor differences.
>
>> (And I see that tcpdump has support for OpenBSD's pf packet logging.)
>
> Never tested that.
>
>> Anyone using PF on DragonFly?
>
> Me, primary firewall.
>
>> What features at time of import were broken or worked differently on
>> DragonFly? (Is this documented anywhere?)
The following is longer description of this, maybe could be reused for
documentation. Please share your feedback or better wording (please
carbon-copy me on reply). I also have questions below.
PF was first officially released as part of DragonFly 1.2 in April
2005. DragonFly 1.2 and 1.4 include PF 3.5. It is mostly PF 3.6,
but there are some minor differences.
DragonFly Kernel Configuration
By default on DragonFly, PF is available as a kernel loadable
module, which can be loaded with:
# kldload pf
The kernel module is enabled with pflog(4) logging. The /etc/rc.d/pf
script will load the kernel module as needed at boot time.
To build a DragonFly kernel with a builtin PF, use the following
kernel configurations:
device pf # PF OpenBSD packet-filter firewall
device pflog # logging support interface for PF
device pfsync # synchronization interface for PF
You need to recompile, install and boot the new kernel for the
settings to take effect.
Enabling PF on DragonFly
To start PF at boot time, set the variable pf_enable=YES
in your /etc/rc.conf file. You can also define pf_rules to point
to your custom rule file; it defaults to /etc/pf.conf which provides
a commented-out example. The /etc/rc.d/pf script includes command
line arguments to start, stop, restart, reload, resync, and to show
PF status.
To enable the PF logging, set pflog_enable=YES in your /etc/rc.conf
file. The /etc/rc.d/pflog rc.d script can be used to start and stop
the packet filter logging daemon.
Differences with OpenBSD
No "set skip" option. (This is a PF 3.7 feature.)
The pfsync device for monitoring state changes is not part of
DragonFly's default kernel module. A custom kernel must be
built with the pfsync device. ***This maybe wrong .... see below.***
ALTQ is also not available as integrated with PF.
CARP is not available. And no carpdev mode.
DragonFly does not have support for labels for routes. So
filtering on route labels does not work. (Anyways, this is a
PF 3.7 feature.)
QUESTIONS:
Any plans for route labels?
Is there a memory leak when unloading pf.ko? (as mentioned in
original commit message)
Does anyone use pfsync? The manual page doesn't mention pfsync
device and the ifconfig code doesn't appear to have pfsync support.
I haven't tried. What happens if ALTQ is defined when building pf?
Do the "user" and "group" keywords work?
Anyone using authpf?
Anyone using spamd? (The version in pkgsrc is not ported for DragonFly
yet.)
Jeremy C. Reed
technical support & remote administration
http://www.pugetsoundtechnology.com/
More information about the Kernel
mailing list