* Fil DiNoto [2013-02-16 21:54]:
> I prefer rule processing order
kinda funny, that is what I consider the biggest (and unfixable)
mistake in pf.
but that's all history.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail
2013/2/16 Matthew Weigel :
> On Feb 16, 2013, at 5:28 AM, Vadim Zhukov wrote:
>
>> 2013/2/16 Fil DiNoto :
>>> But this is all off-topic, I'm not slaming pf in any way i love it. I
>>> was just saying it can't hurt to try to emulate what people know if at
>>> all possible. And the fact is that juno
On Sat, Feb 16, 2013 at 10:41 AM, Fil DiNoto wrote:
> with something vaguely familiar to what they would encounter in the
> other equipment like cisco or juniper they would be far less likely to
> make a mistake that would result in an outage or security problem. So
> as superficial as this might
You've convinced me. Why try to emulate something, even if it is just
cosmetic, that isn't as good. That's just going to obscure what pf
really is.
I must be honest though, I wouldn't know how to answer someone if they
asked me why pf is better than say an SRX or ASA firewall-router or
vice versa.
On Feb 16, 2013, at 5:28 AM, Vadim Zhukov wrote:
> 2013/2/16 Fil DiNoto :
>> But this is all off-topic, I'm not slaming pf in any way i love it. I
>> was just saying it can't hurt to try to emulate what people know if at
>> all possible. And the fact is that junos/ios have the market share so
>>
I work on Cisco ASA, Juniper ScreenOS & Junos commercial
firewalls. Linux iptables on various systems. All
because that is what they pay me to support.
However when I need to setup something in the Lab that
works I use OpenBSD pf, which it does quite well. I've
tried, without success to get co
2013/2/16 Fil DiNoto :
> Well in this case JunOS, IOS, and Brocade would be what people know
> and are accustomed to, because these are common brands. But I was
> speaking of my experiences in working at an ISP and using vendors that
> most people haven't heard of. Alcatel, Atrica to name a couple,
Well in this case JunOS, IOS, and Brocade would be what people know
and are accustomed to, because these are common brands. But I was
speaking of my experiences in working at an ISP and using vendors that
most people haven't heard of. Alcatel, Atrica to name a couple,
multi-service customer premise
Hi,
I own an ISP and I see no problem using OpenBSD, or Cisco as routers and
I have no problem with the configuration of PF. I kind of find it much
simpler then Cisco. Definitely better man page for sure! (:>
Just know, you don't need every single features of PF to have a great
router. PF does of
I was drawing from situations where we implemented hardware from a
less well known vendor that has a completely different configuration
style than what most people are used to. We end up having more outages
caused by human error to the point where the equipment gets a bad
reputation.
Unfortunately
> I would like to offer a suggestion though from my experience,
> simplifying the configuration of a device greatly increases its
> security, operationally. So if users (network IT staff) are presented
> with something vaguely familiar to what they would encounter in the
> other equipment like cisc
> Someone referred me to NSH which is exactly what I was thinking of.
No, NSH is now what you are thinking of at all.
You are asking for something which nests the *entire heirarchy* of
command structure to control interfaces and stuff PLUS pf... but NSH
cannot do that in the 'natural way' you ask
ight seem to you in practice I think it would
have a large impact
On Fri, Feb 15, 2013 at 5:42 PM, Theo de Raadt wrote:
>> I was wondering why nobody has ever created a shell for pf so that you
>> could manipulate it in a way similar to JunOS instead of editing
>> pf.conf. Also
On Fri, Feb 15, 2013 at 8:42 PM, Theo de Raadt wrote:
> > I was wondering why nobody has ever created a shell for pf so that you
> > could manipulate it in a way similar to JunOS instead of editing
> > pf.conf. Also show / monitor commands. Hierarchical edit mode, stuff
> >
> I was wondering why nobody has ever created a shell for pf so that you
> could manipulate it in a way similar to JunOS instead of editing
> pf.conf. Also show / monitor commands. Hierarchical edit mode, stuff
> like that.
Because pf does not follow the configuration model of a swit
I was wondering why nobody has ever created a shell for pf so that you
could manipulate it in a way similar to JunOS instead of editing
pf.conf. Also show / monitor commands. Hierarchical edit mode, stuff
like that.
16 matches
Mail list logo
