From owner-freebsd-questions@FreeBSD.ORG Fri May 5 13:46:01 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5D8816A412 for ; Fri, 5 May 2006 13:46:01 +0000 (UTC) (envelope-from bc3910@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DD7643D45 for ; Fri, 5 May 2006 13:46:01 +0000 (GMT) (envelope-from bc3910@gmail.com) Received: by py-out-1112.google.com with SMTP id e30so788474pya for ; Fri, 05 May 2006 06:46:00 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=rfXzRf24qvxJtO2UxDoomsiascnzquo6liWwp+Nkdq/dc8WFH62W5PcsijLWwcNwq9FtbdK6Tt9M9+5V/unJskpeILGOtofyQ3xb4uare2Od96Gh1A7uYLtPQxD8pL9m022W/NJ4FIE4Q3NmT5XhUIWtFNv2/1EhOU7PBH9yb7Q= Received: by 10.35.70.17 with SMTP id x17mr708601pyk; Fri, 05 May 2006 06:46:00 -0700 (PDT) Received: by 10.35.12.14 with HTTP; Fri, 5 May 2006 06:46:00 -0700 (PDT) Message-ID: <51257d370605050646p16e413e9je128abd16ff87e32@mail.gmail.com> Date: Fri, 5 May 2006 07:46:00 -0600 From: "Bryan Curl" To: "Atom Powers" In-Reply-To: MIME-Version: 1.0 References: <51257d370605021635x126d6560ueffdba9285d763da@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions Subject: Re: ipfirewall tricks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 13:46:01 -0000 On second look PF has some definite improvements over IPFilter. My rule set file is half as long for one thing. I like the macros and tables. I'm still reading throught he documentation, but, I have not figured out wh= y the log doesnt seem to be working yet. I have all the required entries in rc.conf. pf_enable=3D"YES" # Enable PF (load module if required) pf_rules=3D"/etc/pf.conf" # rules definition file for pf pf_flags=3D"" # additional flags for pfctl startup pflog_enable=3D"YES" # start pflogd(8) pflog_logfile=3D"/var/log/pflog" # where pflogd should store the logfile pflog_flags=3D"" # additional flags for pflogd startup Handbook at http://www.openbsd.org/faq/pf/. seems to indicate I need a device named pflog0 which I do not have. Also pflogd does not start on boot even tough it is listed in rc.conf. Perhaps the start up script did not get installed into the correct location. My installatin was from the 6.0 releas= e ISO. so I would naturally assume it is correct. Thanks for the reminder of this program. I think I will like it better than the others for my purposes and administrative skill level. On 5/2/06, Atom Powers wrote: > > On 5/2/06, Bryan Curl wrote: > > I want to limit time my kids spend on the internet. > > The way I am doing it is to make varying, seperate ipf.rules files and > > install them from cron at the appropriate time. > > Problem is, if I make a change to one file, I generally have to update > all > > the others accordingly. > > > > Is there a better way? I have read man ipf but didnt come out with any > > ideas. > > I would use pf and have something like this: > > pf.conf > ---- > block out all from to any > ---- > > crontab > ---- > pfctl -t kids -T add kids.ip.to.block > pfctl -t kids -T del kids.ip.to.allow > ---- > > You can also keep the IPs in a flat file and just tell pf to re-read > the file (or read a different file) to update the table. > > I love pf. > > -- > -- > Perfection is just a word I use occasionally with mustard. > --Atom Powers-- > -- -- Bryan bc3910 'at' gmail 'dot' com