Comments on: Openbsd: ‘interface groups and pf’ http://stateless.geek.nz/2005/06/18/openbsd-interface-groups-and-pf/ Mon, 06 Feb 2012 01:02:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Nicholas Lee http://stateless.geek.nz/2005/06/18/openbsd-interface-groups-and-pf/comment-page-1/#comment-278 Nicholas Lee Sat, 18 Jun 2005 06:11:18 +0000 http://stateless.geek.nz/2005/06/18/openbsd-interface-groups-and-pf/#comment-278 I think <em>"pf is much easier to configure"</em>, is the important point. Configuration of iptables is like trying to be your own mo-DEM. Ingress and egress in this situation I think is different slightly from the normal use. Egress above is basic the interfaces associated with the default route. So you can traffic filter and manage (using ALTQ no doubt) traffic on the default route both inwards/ingress (block <strong>in</strong> on egress ...) and outwards.egess (block <strong>out</strong> on egress ...). Everything else is a matter of local policy. Obviously this is very useful for a laptop changing between wired and wireless, but maybe not so useful for a fixed server. I think “pf is much easier to configure”, is the important point. Configuration of iptables is like trying to be your own mo-DEM. Ingress and egress in this situation I think is different slightly from the normal use. Egress above is basic the interfaces associated with the default route.

So you can traffic filter and manage (using ALTQ no doubt) traffic on the default route both inwards/ingress (block in on egress …) and outwards.egess (block out on egress …). Everything else is a matter of local policy.

Obviously this is very useful for a laptop changing between wired and wireless, but maybe not so useful for a fixed server.

]]> By: Richard Parry http://stateless.geek.nz/2005/06/18/openbsd-interface-groups-and-pf/comment-page-1/#comment-279 Richard Parry Sat, 18 Jun 2005 05:45:19 +0000 http://stateless.geek.nz/2005/06/18/openbsd-interface-groups-and-pf/#comment-279 That's pretty cool. I think you can do something similar with Tables, but you need to chain a rule to an interface and point it to another, and that shit will send you blind just trying to work it out. pf is much easier to configure, and with this function it should be cool. Does it also support ingress? That way you could have default lists for any sort of interface, both inbound and outbound traffic. That’s pretty cool.

I think you can do something similar with Tables, but you need to chain a rule to an interface and point it to another, and that shit will send you blind just trying to work it out.

pf is much easier to configure, and with this function it should be cool. Does it also support ingress? That way you could have default lists for any sort of interface, both inbound and outbound traffic.

]]>