On Tue, 5 Jan 2010 18:15:28 -0500 nixlists <nixmli...@gmail.com> wrote:
> Hi. > > I think I mentioned that I upgraded one of the machines running pf > from 4.6 to -current. > > Noticed that pf rule order behavior has changed, so I had to move > rules around and I of course had to change nat and rdr rules since the > syntax is new. > I've read the man page, but not clear on understanding the difference > between 'match' and 'pass'. What's preferable for nat and rdrs - match > or pass? nat and rdr are now declared with match rules. > What about regular rules? In what sort of situations should I use > match rather than pass, vice/versa? When it makes sense in the context of your ruleset. The explanaition of match rules is quite clear in the manpage. You dont have to use them if you don't need them, except for translation and scrubbing where they are mandatory. Those pf changes are explained on http://www.openbsd.org/faq/current.html Also henning@ wrote a mail to misc@ about them, that you might be interested in. > An issue today was the box totally froze after I removed one of the > redundant rules, did 'pfctl -f /etc/pf.conf', and ran 'systat queues'. > As soon as I ran systat it froze dead. Not even a panic. You say you killed a box by trying to load a ruleset? Checked the config with -n before loading? > Also there's a problem with > http://www.openbsd.org/faq/pf/queueing.html , first example - unless I > am confused it limits internal interface's bandwidth to that of > external. Why would I want to slow down my inside connection to the > local network? The queues on the internal interface in that example are used to limit download speeds from the "internet". Can't do that on the external interface. And yes, if not done right those rules would mess with traffic that is internal and should not have hit those queues in the first place. - Robert
