PF?

Jeremy C. Reed reed at reedmedia.net
Tue Jan 10 17:46:16 PST 2006


Sorry no In-Reply-To: header. I am following up via mail archive. Please 
CC me on replies.

On Wed, 4 Jan 2006 at 09:16:10 +0100, joerg wrote:

> On Tue, Jan 03, 2006 at 11:02:32PM -0800, Jeremy C. Reed wrote:
>>  Anyone using PF on DragonFly?
>>
>>  I see it was imported in Sept. 21, 2004 and is in DragonFly 1.2 and 1.4. I
>>  guess this is the same as OpenBSD's pf 3.5 (I only checked to see if had
>>  bad-timestamp and didn't see it).
>
> It should be mostly OpenBSD 3.6, but there are some minor differences.
>
>>  (And I see that tcpdump has support for OpenBSD's pf packet logging.)
>
> Never tested that.
>
>>  Anyone using PF on DragonFly?
>
> Me, primary firewall.
>
>>  What features at time of import were broken or worked differently on
>>  DragonFly? (Is this documented anywhere?)

The following is longer description of this, maybe could be reused for 
documentation. Please share your feedback or better wording (please 
carbon-copy me on reply). I also have questions below.

PF was first officially released as part of DragonFly 1.2 in April
2005.  DragonFly 1.2 and 1.4 include PF 3.5.  It is mostly PF 3.6,
but there are some minor differences.

DragonFly Kernel Configuration

By default on DragonFly, PF is available as a kernel loadable
module, which can be loaded with:

# kldload pf

The kernel module is enabled with pflog(4) logging. The /etc/rc.d/pf
script will load the kernel module as needed at boot time.

To build a DragonFly kernel with a builtin PF, use the following
kernel configurations:

  device pf     # PF OpenBSD packet-filter firewall
  device pflog  # logging support interface for PF
  device pfsync # synchronization interface for PF

You need to recompile, install and boot the new kernel for the
settings to take effect.

Enabling PF on DragonFly

To start PF at boot time, set the variable pf_enable=YES
in your /etc/rc.conf file. You can also define pf_rules to point
to your custom rule file; it defaults to /etc/pf.conf which provides
a commented-out example.  The /etc/rc.d/pf script includes command
line arguments to start, stop, restart, reload, resync, and to show
PF status.

To enable the PF logging, set pflog_enable=YES in your /etc/rc.conf
file. The /etc/rc.d/pflog rc.d script can be used to start and stop
the packet filter logging daemon.

Differences with OpenBSD

No "set skip" option. (This is a PF 3.7 feature.)

The pfsync device for monitoring state changes is not part of
DragonFly's default kernel module. A custom kernel must be
built with the pfsync device. ***This maybe wrong .... see below.***

ALTQ is also not available as integrated with PF.

CARP is not available. And no carpdev mode.

DragonFly does not have support for labels for routes. So
filtering on route labels does not work. (Anyways, this is a
PF 3.7 feature.)

QUESTIONS:

Any plans for route labels?

Is there a memory leak when unloading pf.ko? (as mentioned in 
original commit message)

Does anyone use pfsync? The manual page doesn't mention pfsync
device and the ifconfig code doesn't appear to have pfsync support.

I haven't tried. What happens if ALTQ is defined when building pf?

Do the "user" and "group" keywords work?

Anyone using authpf?

Anyone using spamd? (The version in pkgsrc is not ported for DragonFly 
yet.)

 Jeremy C. Reed

 	  	 	 technical support & remote administration
	  	 	 http://www.pugetsoundtechnology.com/





More information about the Kernel mailing list