ipfirewall tricks
Atom Powers
atom.powers at gmail.com
Fri May 5 15:53:28 UTC 2006
Unlike pf, pflog does not have a loadable module. You have to build it
into the kernel.
On 5/5/06, Bryan Curl <bc3910 at gmail.com> wrote:
> On second look PF has some definite improvements over IPFilter.
> My rule set file is half as long for one thing. I like the macros and
> tables.
>
> I'm still reading throught he documentation, but, I have not figured out why
> the log doesnt seem to be working yet. I have all the required entries in
> rc.conf.
> pf_enable="YES" # Enable PF (load module if required)
> pf_rules="/etc/pf.conf" # rules definition file for pf
> pf_flags="" # additional flags for pfctl startup
>
> pflog_enable="YES" # start pflogd(8)
> pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
> pflog_flags="" # additional flags for pflogd startup
>
> Handbook at http://www.openbsd.org/faq/pf/. seems to indicate I need a
> device named pflog0 which I do not have. Also pflogd does not start on boot
> even tough it is listed in rc.conf. Perhaps the start up script did not get
> installed into the correct location. My installatin was from the 6.0 release
> ISO. so I would naturally assume it is correct.
>
> Thanks for the reminder of this program. I think I will like it better than
> the others for my purposes and administrative skill level.
>
>
> On 5/2/06, Atom Powers <atom.powers at gmail.com> wrote:
> > On 5/2/06, Bryan Curl <bc3910 at gmail.com> wrote:
> > > I want to limit time my kids spend on the internet.
> > > The way I am doing it is to make varying, seperate ipf.rules files and
> > > install them from cron at the appropriate time.
> > > Problem is, if I make a change to one file, I generally have to update
> all
> > > the others accordingly.
> > >
> > > Is there a better way? I have read man ipf but didnt come out with any
> > > ideas.
> >
> > I would use pf and have something like this:
> >
> > pf.conf
> > ----
> > block out all from <kids> to any
> > ----
> >
> > crontab
> > ----
> > pfctl -t kids -T add kids.ip.to.block
> > pfctl -t kids -T del kids.ip.to.allow
> > ----
> >
> > You can also keep the IPs in a flat file and just tell pf to re-read
> > the file (or read a different file) to update the table.
> >
> > I love pf.
> >
> > --
> > --
> > Perfection is just a word I use occasionally with mustard.
> > --Atom Powers--
> >
>
>
>
> --
>
> --
> Bryan
> bc3910 'at' gmail 'dot' com
--
--
Perfection is just a word I use occasionally with mustard.
--Atom Powers--
More information about the freebsd-questions
mailing list