OpenBSD Journal

Great things coming...

Contributed by jose on from the pf-continues-to-kick-ass. dept.

Somebody writes :




From: Daniel Hartmeier

Date: Thu, 5 Dec 2002 17:47:32 -0700 (MST)
To: source-changes@cvs.openbsd.org
Subject: CVS: cvs.openbsd.org: src

CVSROOT:        /cvs
Module name:    src
Changes by:     dhartmei@cvs.openbsd.org        2002/12/05 17:47:32

Modified files:
        sbin/pfctl     : pfctl.8 parse.y pfctl.c pfctl_parser.c
        share/man/man5 : pf.conf.5
        sys/net        : pfvar.h pf.c pf_ioctl.c pf_norm.c
        usr.sbin/authpf: authpf.c

Log message:
Introduce anchors and named rule sets, allowing to load additional rule
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.

Idea and ok deraadt@


This is something I have been dreaming about for a while, glad to see it's taking shape!

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    Is this similar to IPF's rule groups? I'm not too clear on what this means. Don't mean to sound so dumb, but anyone care to explain it better to me?

    Thanks!

    Comments
    1. By Anonymous Coward () on

      http://www.openbsd.org/cgi-bin/cvsweb/src/share/man/man5/pf.conf.5.diff?r1=1.137&r2=1.138&f=h

      Comments
      1. By Anonymous Coward () on

        Thx man.

    2. By Daniel Hartmeier () daniel@benzedrine.cx on http://www.benzedrine.cx/pf.html

      Yes, it's similar. You can write an anchor rule like

      anchor foo proto tcp from any to any port smtp

      and then load into anchor foo

      block quick from 1.2.3.4 to any
      block quick from 2.3.4.5 to any
      ...

      These rules will only be evaluated for packets that match the parameters on the anchor rule, for TCP packets with destination port 25.

      Skip steps optimize both evaluation of the main rule set as any named rule sets in anchors. And the anchor rules in the main rule set are skipped over with skip steps, when possible.

      Daniel

      Comments
      1. By Anonymous Coward () on

        Thx Dan.

    3. By Anonymous Coward () on

      apart from being able to use names instead of numbers, its more restrictive than IPF rule groups.

      Comments
      1. By Can Erkin Acar () on

        Anchor rules is not an implementation of ipf groups. It has the main purpose of allowing daemons, proxies and scripts to manage sub rule sets more easily. In this case, some restriction is actually useful.

        Ipf groups has a more general syntax since it also uses/needs groups for (manual) rule optimization. In pf optimization is done automagically using skip steps which as a bonus also optimize anchor rule evaluation.

      2. By Anonymous Coward () on

        How so?

  2. By niekze () on

    If Daniel was playing NBA Jam, he'd be on fire. Seriously, the man just *doesn't* stop. On a sidenote, the IPF wing of the Natural History Museum is opening on Monday ;)

    I only wish Darren Reed wrote Sendmail...

    Comments
    1. By Anonymous Coward () on

      It is easy to add new features that "look cool" when all you're doing is copying things others have done.

      Comments
      1. By Anonymous Coward () on

        It is easy to troll when you make broad sweeping statements because you do not understand the differences between similar features.

    2. By Anonymous Coward () on

      ipfilter "-current" is a lot different to what most people have ever used, especially openbsders. the big difference is there isn't a thread on any web site advertising every new little feature that gets added.

  3. By Anonymous Coward () on

    Has anyone done anything to get AuthPF to be used over say OpenSSL. This way users can authenticate over web, rather than ssh?

    Comments
    1. By Anonymous Coward () on

      You need to keep the SSH session connected in order to prevent connection hijacking and such.

      How would you accomplish this with a web interface?

      Comments
      1. By Raymond Morsman () raymond@dyn.org on mailto:raymond@dyn.org

        You can have a nph-cgi script running. As long as the pfauth keeps on giving some kind of NOP like response, it should work.

    2. By Anonymous Coward () on

      anchors look very much the same as the equivalent in netfilter/iptables.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]