From owner-freebsd-questions@FreeBSD.ORG Fri May 5 15:53:28 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAACD16A401 for ; Fri, 5 May 2006 15:53:28 +0000 (UTC) (envelope-from atom.powers@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D26943D45 for ; Fri, 5 May 2006 15:53:28 +0000 (GMT) (envelope-from atom.powers@gmail.com) Received: by nz-out-0102.google.com with SMTP id l1so682896nzf for ; Fri, 05 May 2006 08:53:24 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=oKOjl77yioje8w105yfb5lsXJqjMWnxRhmdBLFPY4/4dgJHBXN9qnjqwS1IeI/QdsiuxbOmyp5DvAEQHjYybGKiPmUek3gyrJ49bQ27WS93NnnaiwNkDNxyiW7bzY8jwxvNV/1o0GK7MPjGhb4vNpTBVeDCVMZ8ZARyhrjDiA94= Received: by 10.64.76.2 with SMTP id y2mr595871qba; Fri, 05 May 2006 08:53:24 -0700 (PDT) Received: by 10.65.150.9 with HTTP; Fri, 5 May 2006 08:53:24 -0700 (PDT) Message-ID: Date: Fri, 5 May 2006 08:53:24 -0700 From: "Atom Powers" To: "Bryan Curl" In-Reply-To: <51257d370605050646p16e413e9je128abd16ff87e32@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <51257d370605021635x126d6560ueffdba9285d763da@mail.gmail.com> <51257d370605050646p16e413e9je128abd16ff87e32@mail.gmail.com> Cc: freebsd-questions Subject: Re: ipfirewall tricks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 15:53:28 -0000 Unlike pf, pflog does not have a loadable module. You have to build it into the kernel. On 5/5/06, Bryan Curl wrote: > On second look PF has some definite improvements over IPFilter. > My rule set file is half as long for one thing. I like the macros and > tables. > > I'm still reading throught he documentation, but, I have not figured out = why > the log doesnt seem to be working yet. I have all the required entries in > rc.conf. > pf_enable=3D"YES" # Enable PF (load module if required) > pf_rules=3D"/etc/pf.conf" # rules definition file for pf > pf_flags=3D"" # additional flags for pfctl startup > > pflog_enable=3D"YES" # start pflogd(8) > pflog_logfile=3D"/var/log/pflog" # where pflogd should store the logfile > pflog_flags=3D"" # additional flags for pflogd startup > > Handbook at http://www.openbsd.org/faq/pf/. seems to indicate I need a > device named pflog0 which I do not have. Also pflogd does not start on bo= ot > even tough it is listed in rc.conf. Perhaps the start up script did not g= et > installed into the correct location. My installatin was from the 6.0 rele= ase > ISO. so I would naturally assume it is correct. > > Thanks for the reminder of this program. I think I will like it better th= an > the others for my purposes and administrative skill level. > > > On 5/2/06, Atom Powers wrote: > > On 5/2/06, Bryan Curl wrote: > > > I want to limit time my kids spend on the internet. > > > The way I am doing it is to make varying, seperate ipf.rules files an= d > > > install them from cron at the appropriate time. > > > Problem is, if I make a change to one file, I generally have to updat= e > all > > > the others accordingly. > > > > > > Is there a better way? I have read man ipf but didnt come out with an= y > > > ideas. > > > > I would use pf and have something like this: > > > > pf.conf > > ---- > > block out all from to any > > ---- > > > > crontab > > ---- > > pfctl -t kids -T add kids.ip.to.block > > pfctl -t kids -T del kids.ip.to.allow > > ---- > > > > You can also keep the IPs in a flat file and just tell pf to re-read > > the file (or read a different file) to update the table. > > > > I love pf. > > > > -- > > -- > > Perfection is just a word I use occasionally with mustard. > > --Atom Powers-- > > > > > > -- > > -- > Bryan > bc3910 'at' gmail 'dot' com -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers--