that's not exciting at all. maybe one day i will write a vpf device. benefits include not having to be root to check an agreed upon subset of your states, running proxies and other applications that insert rules completely non-root
other details have to be worked out so that sub-pfs can't run the system out of resources, that's the main thing xoxo On Thu, Jul 5, 2012 at 10:46 AM, Henning Brauer <lists-open...@bsws.de> wrote: > * Andres Perera <andre...@zoho.com> [2012-07-04 17:42]: >> out of curiosity, how would you make pf(4) only handle rules >> pertaining to a certain anchor depending on the process that's >> interfacing with them? i ask because; e.g., pfctl -sr should only >> show rules for that client, and other pf(4) operations need to be >> equally restricted. i know that originally you said that the loading >> of the rules is not up to the client but a periodic batch job, however >> that does not match "CheckPoint VSX" > > geez, don't act so helpless, this is unix after all. > > write yourself a little wrapper that, depending on the caller/source, > enforces a pfctl -a anchorinquestion ... > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de, Full-Service ISP > Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully > Managed > Henning Brauer Consulting, http://henningbrauer.com/
