Thread: [Fwbuilder-discussion] max-src-conn & max-src-conn-rate
Brought to you by:
mikehorn
From: Stephan A. R. <ste...@in...> - 2006-07-28 22:14:09
Attachments:
signature.asc
|
Hi all, I was about to drop my usage of fwbuilder because I heavily needed tables and anchors in pf ... however, i all over sudden discovered that 2.1.5 comes up with exactly these features. So, thanks! I can continue to use fwbuilder... Another issue I'd really like to see in fwbuilder is max-src-conn & max-src-conn-rate in the "Rule Options" =3D> "Source tracking" Dialog. I assume it is an easy to implement feature since it goes along the lines of the existing max-src-nodes and max-src-states keywords. One could even think of adding also the 'overload' state option which refers to a <table>. So, are there any plans to do so? Thanks again, keep up the brilliant work. --=20 Stephan A. Rickauer ----------------------------------------------------------- Institut f=FCr Neuroinformatik Tel: +41 44 635 30 50 Universit=E4t / ETH Z=FCrich Sek: +41 44 635 30 52 Winterthurerstrasse 190 Fax: +41 44 635 30 53 CH-8057 Z=FCrich Web: www.ini.ethz.ch RSA public key: https://www.ini.ethz.ch/~stephan/pubkey.asc ----------------------------------------------------------- |
From: <va...@vk...> - 2006-07-28 22:22:26
|
On Jul 27, 2006, at 5:21 PM, Stephan A. Rickauer wrote: > Hi all, > > I was about to drop my usage of fwbuilder because I heavily needed > tables and anchors in pf ... however, i all over sudden discovered =20 > that > 2.1.5 comes up with exactly these features. So, thanks! I can continue > to use fwbuilder... > where you able to generate pf configurations you wanted using tables =20 and anchors with fwbuilder 2.1 ? Do you have any comments or other =20 feedback on the implementation ? > Another issue I'd really like to see in fwbuilder is max-src-conn & > max-src-conn-rate in the "Rule Options" =3D> "Source tracking" Dialog. = I > assume it is an easy to implement feature since it goes along the =20 > lines > of the existing max-src-nodes and max-src-states keywords. One could > even think of adding also the 'overload' state option which refers =20 > to a > <table>. > > So, are there any plans to do so? > sure, please file a feature request and I'll add these to the next =20 version in 2.1 line > Thanks again, keep up the brilliant work. > thanks --vk > --=20 > > Stephan A. Rickauer > > ----------------------------------------------------------- > Institut f=FCr Neuroinformatik Tel: +41 44 635 30 50 > Universit=E4t / ETH Z=FCrich Sek: +41 44 635 30 52 > Winterthurerstrasse 190 Fax: +41 44 635 30 53 > CH-8057 Z=FCrich Web: www.ini.ethz.ch > > RSA public key: https://www.ini.ethz.ch/~stephan/pubkey.asc > ----------------------------------------------------------- > > ----------------------------------------------------------------------=20= > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to =20 > share your > opinions on IT & business topics through brief surveys -- and earn =20 > cash > http://www.techsay.com/default.php?=20 > page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV > > !DSPAM:44ca8c3e78401495312719! > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > > > !DSPAM:44ca8c3e78401495312719! |
From: Stephan A. R. <ste...@in...> - 2006-07-31 08:17:04
Attachments:
signature.asc
|
Hi Vadim, Vadim Kurland =E2=9C=88 wrote: > where you able to generate pf configurations you wanted using tables an= d > anchors with fwbuilder 2.1 ? I have never used 2.1 before since my 2.0.9 seems to be ultra stable and I believed to have no reason to upgrade. In that version I only have to tweak one thin: OpenBSD version 3.8 comes with a highly sophisticated ftp-proxy (http://www.openbsd.org/faq/pf/ftp.html) which uses anchors to dynamically modify pf rules. I currently have to use fwbuilders Prolog to put those anchors in, like: ---snip--- # ftp-proxy anchors for i in nat rdr; do perl -p -i -e "s/scrub out.*/$&\n$i-anchor \"ftp-proxy\/*\"/" pf.conf done perl -p -i -e "s/# Tables:/anchor \"ftp-proxy\/*\"\n\n$&/" pf.conf ---snip--- But I assume this is already obsolote with 2.1. Time to upgrade? > Do you have any comments or other feedback on the implementation ? First of all, everything basic seems to work (at least for me in my environment). This is a good thing. I never had one single case where fwbuilder created _wrong_ rules. Secondly, I do know that I could write my pf rules in a much more dense and much cleaner way manually - but so far I didn't care. I migrated from linux-iptables to openbsd-pf (no regrets!) and fwbuilder saved my life. The tradeoff is a slightly less clean ruleset. No problem with me. Thirdly, what really is sad is, that fwbuilder doesn't support traffic shaping and queuing, especiallly when one knows all these features are already included in native pf. I am not complaining - I am just saying that if someone wants/needs to use altq etc. you can't use fwbuilder at the moment. >> Another issue I'd really like to see in fwbuilder is max-src-conn & >> max-src-conn-rate in the "Rule Options" =3D> "Source tracking" Dialog.= I >> assume it is an easy to implement feature since it goes along the line= s >> of the existing max-src-nodes and max-src-states keywords. One could >> even think of adding also the 'overload' state option which refers to = a >> <table>. >> >> So, are there any plans to do so? >> >=20 > sure, please file a feature request and I'll add these to the next > version in 2.1 line Cool. Would you mind I concentrate a bit more on filing feature requests related to PF? ;) Cheers, --=20 Stephan A. Rickauer ----------------------------------------------------------- Institut f=C3=BCr Neuroinformatik Tel: +41 44 635 30 50 Universit=C3=A4t / ETH Z=C3=BCrich Sek: +41 44 635 30 52 Winterthurerstrasse 190 Fax: +41 44 635 30 53 CH-8057 Z=C3=BCrich Web: www.ini.ethz.ch RSA public key: https://www.ini.ethz.ch/~stephan/pubkey.asc ----------------------------------------------------------- |
From: Stephan A. R. <ste...@in...> - 2006-07-31 09:22:12
Attachments:
signature.asc
|
Vadim Kurland =E2=9C=88 wrote: > sure, please file a feature request and I'll add these to the next > version in 2.1 line done, thanks. --=20 Stephan A. Rickauer ----------------------------------------------------------- Institut f=C3=BCr Neuroinformatik Tel: +41 44 635 30 50 Universit=C3=A4t / ETH Z=C3=BCrich Sek: +41 44 635 30 52 Winterthurerstrasse 190 Fax: +41 44 635 30 53 CH-8057 Z=C3=BCrich Web: www.ini.ethz.ch RSA public key: https://www.ini.ethz.ch/~stephan/pubkey.asc ----------------------------------------------------------- |