Daniel Ouellet wrote:
Looking in the archive, looks like PF is view as feature complete and
really I can't think of anything I can't do with it except nat traversal
in VoIP setup.
Maybe a bit off topic, but it immediately popped up in my head...
Until recently I also pictured pf as feature complete. However, after
having had hands-on experience with writing a rule set with special
queueing of traffic directed to a (relative high) number of unsucceeding
port numbers, I am annoyed with the limited tables in pf. In my oppion
it would be really neat, if a table concept was introduced for ports,
possibly including protocol (tcp/udp) indication. That would make it
possible to optimize rules that try to match a high number of ports,
similar to the way rules that try to match a high number of host and
network addresses can be optimized using the existing tables.
I'm striving to find out whether my idea is appropriate or just nonsense.
Maybe clever firewall design shouldn't need to match a high number of ports?
/Martin
Would it be possible to consider the addition of this may be?
Just curious?
Best,
Daniel
