OpenBSD Journal

Wanted: PF rulesets for pf ruleset Optimizer testing

Contributed by grey on from the Frantzen ransoms rulesets lest Henning never drink beer again dept.

Thanks to an Anonymous Optimizer for writing in:

They need testers and guinea pigs for an automatic ruleset optimizer, see this post.

It looks like this started here.

Sounds awesome, and if you act now it's a bit of a rare opportunity too; as Mike Frantzen rightly said, "Would Checkpoint offer to tune FW-1 for your exact configuration?" If winning people over with honey isn't working, he's also threatening to deprive henning@ of beer if people don't send in their rulesets. I'm not sure if the threat is as much of an incentive, but you never know.

(Comments are closed)

  1. By Mike Frantzen ( on

    Depriving henning@ of beer is a huge threat! Ever read Dr. Jeckyl and Mr. Hyde? :-) For those whose mail servers don't talk TLS, pgp key at:

    1. By Anonymous Coward ( on

      he's also threatening to deprive henning@ of beer

      oh the humanity !

      1. By Miod ( on

        Preventing Henning from drinking beer is good for his liver. Join Mike in this lost cause, by not sending your rulesets. Henning will thank you once he'll recover his mind.

        1. By Peter Hessler ( on

          Yes, but when he's not drunk, he helps you drink. Results are here

  2. By James Nobis ( on

    This is really cool. I've got one generic ruleset I use when I deploy a standard firewall that I optimized until I couldn't optimize anymore. I'm curious what it would fine on that ruleset. I also have this large complex ruleset with a dmz and forwarding to several boxes, etc. that I haven't had the time to optimize. This tool might proove and nice time saver as well.

    1. By Nikademus (3ffe:bc0:8000:0:8000:0:d458:f566) on

      It may be great, but I cannot risk having my well working script in a production environment, to do strange things because there are some optimisation "bugs".

      1. By Michael Knudsen (2001:1448:80:21:4c96:aabd:301f:71fc) on

        That's why your ruleset is needed so the optimisation engine is tested extensively.

      2. By Petr Ruzicka ( on

        I made new pfctl on my workstation and tested rulesets from different firewalls on my machine (via ./new_pfctl -o -nvf ./pf.orig ). So you could see results ( but not from pfctl -oo ). Anyway it does work and gave me some ideas how to change my rulesets.

      3. By James ( on

        I think you are looking at it from the wrong point of view. The optimizer can give you ideas on your ruleset. It may show you uncessary or misordered rules. By no means would I advocate passing your ruleset through the optimizer and placing it into production without thorough review of the changes.

        1. By djm@ ( on

          The whole point is to have an optimiser that generates equivalent rulesets, so you can put them into production without manually checking them first (e.g. automated profile-driven updates). Note that pf already does some optimisation already, so you are already trusting the developers :)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]