OpenBSD Journal

Onlamp: interview OpenBSD PF Developers, Part 2

Contributed by grey on from the developers being interviewed again dept.

Thanks to Stelianos G. Sfakianakis and others who submitted a link to part two of this interview.

Federico Biancuzzi's second part of the interview can be found here:

For those who missed part one, which we previously reported on here, you can also find that interview at this location:

(Comments are closed)

  1. By Anonymous Coward ( on

    * return-rst now works on IPless bridges Wow! Is this in 3.5 or just for 3.5-current?

    1. By Brad ( brad at comstyle dot com on

      -current only.

  2. By Dan ( on

    After using CheckPoint for few years: I understand why filtering layer 7 is not wanted in the kernel, but how can a rule in squide match a specific user? ,how can authpf influance squide? how altq can manage qos for different users after the proxy is givven the traffic? how can I "ipsec" traffic from specific user? I think that some API should be outthere for proxies to talk with PF for extracting data like usernames, pf_labels, or for seting altq parameters...

    1. By djm@ ( on

      How does CheckPoint know this? Most of the time it just associates a user with an IP address. Authpf is one example of how this can be done. For protocols like http, one could have squid or a more lightweight proxy to add the user's IP address into a table upon authentication. This wouldn't be much work for someone building a firewall platform.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]