Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Jul 2006 14:32:26 -0500
From:      "Travis H." <solinym@gmail.com>
To:        "Greg Hennessy" <Greg.Hennessy@nviz.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: PF firewall rules
Message-ID:  <d4f1333a0607121232t27cee6fncb81c48ac5749918@mail.gmail.com>
In-Reply-To: <000001c6a5b4$f8b055c0$0a00a8c0@thebeast>
References:  <44B4C782.2@thebeastie.org> <000001c6a5b4$f8b055c0$0a00a8c0@thebeast>

next in thread | previous in thread | raw e-mail | index | archive | help
On 7/12/06, Greg Hennessy <Greg.Hennessy@nviz.net> wrote:
> It's not the fault of the audience when someone refuses to take advice on
> board, ignores the reference material, demonstrates a lack of basic
> networking knowledge and then continues to slate the implementation of
> something they clearly do not understand.

Seconded.  His comparison of pf's treatment of TCP as "protocol
racism" was over the top (although I found it amusing).

With regard to that, TCP has some neat features that allow us to
implement some small degree of security based on the flags and
sequence numbers.  UDP doesn't have anything of the sort at that
layer.  In fact, the way we do stateful filtering at the UDP level
technically breaks DNS, because domain name servers aren't guaranteed
to respond on the same interface/IP as the request came in, because
some servers bind to the wildcard address and the socket interface
doesn't tell the server what IP the data came in on.  Fortunately this
doesn't matter in practice.

Trying to make a decent firewall which allows it to come up with
established TCP connections won't work correctly 100% of the time,
ever.   That's why we have carp and pfsync.

If you can't be bothered to type out or alias pfctl -f ruleset -F
state, we aren't required to make /etc/init.d/pf resync do what you
want.  You have aptly demonstrated you're capable of using a shell
function to do it, so feel free to add that to /root/.profile, and use
it in lieu of the former.

If you know the answers, I don't see the point of asking the
questions.  It appears you're asking them in some kind of Socratic
irony sort of way, in an attempt to get the FreeBSDers to change the
course of pf development, but you don't appear to understand the
issues well enough to be guiding its development (and I'm not even
sure FreeBSD has forked the code, or wants to diverge significantly
from the OpenBSD version).

For example, the "kernel" keyword you suggested is unnecessary and
misleading.  Every packet we deal with is being handled by the kernel.

Tagging and policy-based routing can do what you want, and more.  Just
get over ipfilter; pf has a lot more to offer.

I don't mean this to sound unnecessarily harsh; I just want you to
understand how things look to us.  I'm done with this thread too,
barring a particularly interesting question.
-- 
Resolve is what distinguishes a person who has failed from a failure.
Unix "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0607121232t27cee6fncb81c48ac5749918>