For too long I have had plans to take a look af pf(4) to figure out
whether I liked it or not. Today I managed to build a working pf
ruleset that was not only better than the old ipfw ruleset but much
shorter as well.
Since I have always been building ipfw into my kernels I decided to
remove that and add pf instead. That way the motivation for getting
pf to work well would be greater too.
Adding pf to the kernel is simple enough:
device pf
Since the ruleset is for my laptop I need all ports to be closed and just allow connections initiated on the host itself. I didn't find an example that did this but it proved easy enough to build it myself.
Here it is:
set block-policy return
set skip on lo0
block in all
pass out proto { tcp, udp } all keep state
pass in proto {icmp,icmp6} all
pass out proto {icmp,icmp6} all
The next machine to be migrated away from ipfw will probably be my
workstation. To do that I need to figure out how to make ALTQ do the
same as ipfw pipes. The last machine will probably be my gateway which
does NAT. There are lots of examples on that so I expect it to be easy enough.
|
|