Hello
On 8 Sep 2005, at 13:55, Stephan A. Rickauer wrote:
Thanks to the kind help on this list, my test firewall successfully
runs OpenBSD 3.7 and is basically configured. I now need to think
about migrating my existing netfilter rule set to pf and would like
to ask also some general questions to understand the concept(s)
suffiently.
If I understand correctly, pf has no 'forward' chain like netfiler
(which is probably by design). I have to admit I've found it pretty
handy to use forward chains since one does not have to specify IN
and OUT rules separately. But I don't want to argue about that. The
simple question is: Does that mean, a netfilter forward rules needs
to be replaced by two pf rules (in general)?
Does rdr not provide forward-like functionality in pf? Or is it that
you want to filter rdr'd connections?
No, I think he doesn't speak of redirections. What he means are packets,
which travel through the firewall but aren't from or for the firewall.
Yes, you have to define rules for incoming and for outgoing packets
(just like it was in ipchains but there you had also to define rules for
forward), but pf is stateful!
if you use
pass in on $int from $net to $internet keep state
then the packet is known when it leaves on $ext and you don't need
another rule their.
Btw (and that's just my 2 cents) I worked 5 years with ipchains/iptables
and started some month ago with pf and I must say I like it, it's easier
to understand, simpler to debug and I like the idea of not having a
forward chain: Packets just come in and go out. And the logging, the
logging is absolutly cool. Nothing else then sniffing on an interface.
guido
