Discussion:
npf vs. pf
(too old to reply)
D'Arcy J.M. Cain
2014-12-10 05:15:19 UTC
Permalink
I have been having issues with pf. See "pf add not working" in
netbsd-users for details. Basically I have created a persistent table
and dynamically add and delete to/from it based on my intrusion
system. Everything seems to work but even with IPs in the table as
shown by pfctl it seems that people still get through. Something weird
is going on. I wonder if it is pf itself.

I asked if npf would have a good shot at fixing this issue but no one
has replied to that question. Anyone here have any thoughts on that?
Is npf stable enough to consider replacing pf on a production server?

Thanks.
--
D'Arcy J.M. Cain <***@NetBSD.org>
http://www.NetBSD.org/ IM:***@Vex.Net

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Jean-Yves Migeon
2014-12-10 13:49:56 UTC
Permalink
Post by D'Arcy J.M. Cain
I have been having issues with pf. See "pf add not working" in
netbsd-users for details. Basically I have created a persistent table
and dynamically add and delete to/from it based on my intrusion
system. Everything seems to work but even with IPs in the table as
shown by pfctl it seems that people still get through. Something weird
is going on. I wonder if it is pf itself.
I asked if npf would have a good shot at fixing this issue but no one
has replied to that question. Anyone here have any thoughts on that?
npfctl(8) can definitly do that -- see "npfctl table"

http://www.netbsd.org/~rmind/npf/
Post by D'Arcy J.M. Cain
Is npf stable enough to consider replacing pf on a production server?
Thanks.
Best way to confirm this is to give it a go. Depending on the features
you are using it can be a drop-in replacement or require tweaking to
reach the same functionality.

I got it running @home and it works fine, but my setup is pretty
standard (stateful filtering and binat).

BTW rmind@ does a wonderful job at supporting it.
--
Jean-Yves Migeon

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
D'Arcy J.M. Cain
2014-12-10 15:15:50 UTC
Permalink
On Wed, 10 Dec 2014 14:49:56 +0100
Post by Jean-Yves Migeon
Post by D'Arcy J.M. Cain
I asked if npf would have a good shot at fixing this issue but no
one has replied to that question. Anyone here have any thoughts on
that?
npfctl(8) can definitly do that -- see "npfctl table"
Yes, I have read the documentation. I know what it claims to do. My
question was about how well it delivers.

In any case I think I will have to stick with pf a bit longer, at least
until npf grows a -D option. I use rc.conf to specify $int_if and
$ext_if but npf doesn't support that. I checked the source and it
isn't just a lack of documentation. Also, I don't see anything to
suggest that I can put comments into the table files. That would be a
"nice to have."
--
D'Arcy J.M. Cain <***@NetBSD.org>
http://www.NetBSD.org/ IM:***@Vex.Net

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Mindaugas Rasiukevicius
2014-12-10 22:52:44 UTC
Permalink
Post by D'Arcy J.M. Cain
On Wed, 10 Dec 2014 14:49:56 +0100
Post by Jean-Yves Migeon
Post by D'Arcy J.M. Cain
I asked if npf would have a good shot at fixing this issue but no
one has replied to that question. Anyone here have any thoughts on
that?
npfctl(8) can definitly do that -- see "npfctl table"
Yes, I have read the documentation. I know what it claims to do. My
question was about how well it delivers.
It is a key feature. If it would not deliver, it would be a major bug.
Worth to point out that npftest has unit tests for tables and they are
part of NetBSD's periodic test suite runs.
Post by D'Arcy J.M. Cain
In any case I think I will have to stick with pf a bit longer, at least
until npf grows a -D option. I use rc.conf to specify $int_if and
$ext_if but npf doesn't support that. I checked the source and it
isn't just a lack of documentation.
What is the benefit here?
Post by D'Arcy J.M. Cain
Also, I don't see anything to
suggest that I can put comments into the table files. That would be a
"nice to have."
All lines which start with # are ignored. So you can put the comments,
it is just not mentioned in the documentation.
--
Mindaugas

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
D'Arcy J.M. Cain
2014-12-11 00:24:59 UTC
Permalink
On Wed, 10 Dec 2014 22:52:44 +0000
Post by Mindaugas Rasiukevicius
Post by D'Arcy J.M. Cain
In any case I think I will have to stick with pf a bit longer, at
least until npf grows a -D option. I use rc.conf to specify
$int_if and $ext_if but npf doesn't support that. I checked the
source and it isn't just a lack of documentation.
What is the benefit here?
I have a standard pf.conf for all my servers. In my rc.conf I have
versions of this:

pf="YES" pf_flags="-Dext_if=wm0 -Dint_if=wm1"

I change the interface based on the individual server. Without the -D
option I would have to make a different npf.conf.
Post by Mindaugas Rasiukevicius
Post by D'Arcy J.M. Cain
Also, I don't see anything to
suggest that I can put comments into the table files. That would
be a "nice to have."
All lines which start with # are ignored. So you can put the
comments, it is just not mentioned in the documentation.
How about this?

# List of enemies
254.502.128.312 # TV idea of an IP address

In practice I add a comment with the date added and why. If the
comment needs to be on a separate line then the file is three times as
long linewise. One for the comment, one for the IP and a blank line to
separate the comment/IP from the next one.
--
D'Arcy J.M. Cain <***@NetBSD.org>
http://www.NetBSD.org/ IM:***@Vex.Net

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...