Follow

At @bsdcan, the "Network Management with the OpenBSD PF toolset" session has started, slides at home.nuug.no/~peter/pftutorial (@stucchimax and I alternating)

@pitrh Great lecture, thank you. The dhcpd(8) leases trick is woot woot!!!
May I ask:
- Why not using "modulate state" with "flags S/A". Especially on Slide 12 (Lapop)?
- I don't understand when to choose between rdr-to or divert-to. Why not using rdr-to for the spamd redirection? What's the key for choosing between those?
- I like the _ prefixed variable name format (like in /etc/rc or /etc/netstart). Can those be used in /etc/pf.conf? Does it even make sense or is it just a matter of taste?

@jcarnat Thanks! Happy to hear you enjoyed it!

The first is mainly to keep not overcomplicate the slides.

The second, divert-to is more efficient for local (same-system) traffic and spamd was changed to divert-to some releases back (used rdr-to earlier).

For the last, limited tests indicate it would be legal syntax at least:

~$ cat testthis
_prefix="192.168.103.1"

pass from $_prefix
~$ doas pfctl -vnf testthis
_prefix = "192.168.103.1"
pass inet from 192.168.103.1 to any flags S/SA

@pitrh Thanks a lot for those answers. Crystal clear :)

Do you know if that underscore prefix is « the OpenBSD way » or a fantasy or an error that will rollback soon?

I already switched all my ksh script to using _. But my pf rules are still using the syntax of your slides. So I’m sure which path to take :p

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!