So Teemu has been nagging me for some time. And Darren seems to have no time to fix ipfilter.
So today i migrated to pf. It was quite straight forward, although not as easy as the ipfw -> ipfilter Migration a few years ago, which worked surprisingly on my first try.
This time i needed three tries, first i added the wrong pass rules for the redirect rules (In ipfilter the nat is done after filtering, in PF before the filtering), than i confused $int_if:network with $internal_net (no they are not identical in my case), and the last error was, i was blocking RFC1918 nets although i was using one 🙂 (the cause of this error is similar to the first error).
I still don’t quite understand my ruleset (especially, why outgoing ntp packets get blocked although i have allowed all tcp udp outgoing).
But the essential parts seem to work, I can IRC and i can receive emails and you can read my blog.
I will try to fix the cornercases over the next week and try to look at the more sophisticated rules, like spamd, altq, carp, etc.
What i really like about PF is the pflog0 device, it makes it really easy to analyze errors in the ruleset.
One thought on “Migrating to PF”
Comments are closed.
pf is indeed very cool in a billion little or bigger ways 🙂