From owner-freebsd-pf@FreeBSD.ORG Wed Jul 12 19:32:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CEBA16A4DA for ; Wed, 12 Jul 2006 19:32:28 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76A6B43D49 for ; Wed, 12 Jul 2006 19:32:27 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id c59so383972pyc for ; Wed, 12 Jul 2006 12:32:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=hc7DoTJkd9TJvVDoIqJ6CmafVdrv7ltVlGduyGD/4K9DRKDb2IYYTDcEYmqkwkEXnER7kGLdsB9gAGw/VhHKwhfvDqxe/CaV1b4AMNTClq9BDItYwelcWUH2tIK7WrbI66N5ougwb/S4o+rqvdLlWSVHKAq/187EglI2X9FK6e8= Received: by 10.35.20.14 with SMTP id x14mr1311796pyi; Wed, 12 Jul 2006 12:32:26 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Wed, 12 Jul 2006 12:32:26 -0700 (PDT) Message-ID: Date: Wed, 12 Jul 2006 14:32:26 -0500 From: "Travis H." To: "Greg Hennessy" In-Reply-To: <000001c6a5b4$f8b055c0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B4C782.2@thebeastie.org> <000001c6a5b4$f8b055c0$0a00a8c0@thebeast> Cc: freebsd-pf@freebsd.org Subject: Re: PF firewall rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jul 2006 19:32:28 -0000 On 7/12/06, Greg Hennessy wrote: > It's not the fault of the audience when someone refuses to take advice on > board, ignores the reference material, demonstrates a lack of basic > networking knowledge and then continues to slate the implementation of > something they clearly do not understand. Seconded. His comparison of pf's treatment of TCP as "protocol racism" was over the top (although I found it amusing). With regard to that, TCP has some neat features that allow us to implement some small degree of security based on the flags and sequence numbers. UDP doesn't have anything of the sort at that layer. In fact, the way we do stateful filtering at the UDP level technically breaks DNS, because domain name servers aren't guaranteed to respond on the same interface/IP as the request came in, because some servers bind to the wildcard address and the socket interface doesn't tell the server what IP the data came in on. Fortunately this doesn't matter in practice. Trying to make a decent firewall which allows it to come up with established TCP connections won't work correctly 100% of the time, ever. That's why we have carp and pfsync. If you can't be bothered to type out or alias pfctl -f ruleset -F state, we aren't required to make /etc/init.d/pf resync do what you want. You have aptly demonstrated you're capable of using a shell function to do it, so feel free to add that to /root/.profile, and use it in lieu of the former. If you know the answers, I don't see the point of asking the questions. It appears you're asking them in some kind of Socratic irony sort of way, in an attempt to get the FreeBSDers to change the course of pf development, but you don't appear to understand the issues well enough to be guiding its development (and I'm not even sure FreeBSD has forked the code, or wants to diverge significantly from the OpenBSD version). For example, the "kernel" keyword you suggested is unnecessary and misleading. Every packet we deal with is being handled by the kernel. Tagging and policy-based routing can do what you want, and more. Just get over ipfilter; pf has a lot more to offer. I don't mean this to sound unnecessarily harsh; I just want you to understand how things look to us. I'm done with this thread too, barring a particularly interesting question. -- Resolve is what distinguishes a person who has failed from a failure. Unix "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484