Thanks for the reply Theo, big fan of OpenBSD Someone referred me to NSH which is exactly what I was thinking of. It even incorporates ifconfig so you can do all the layer 2 stuff which is more than I was hoping for. Can't wait to play with it. I know exactly what you mean about the hardware differences and the challenges that would go into creating a true JunOS style experience I was just looking for a way to fake it.
I'm not a coder at all I'm a network guy and OpenBSD has been my OS of choice for many years when I need a router for a lab or when hardware isn't available. pf rocks! I can't stand iptables. It's like they had a contest to see who could come up with the longest possible minimum command to block/open a port. I would like to offer a suggestion though from my experience, simplifying the configuration of a device greatly increases its security, operationally. So if users (network IT staff) are presented with something vaguely familiar to what they would encounter in the other equipment like cisco or juniper they would be far less likely to make a mistake that would result in an outage or security problem. So as superficial as this might seem to you in practice I think it would have a large impact On Fri, Feb 15, 2013 at 5:42 PM, Theo de Raadt <[email protected]> wrote: >> I was wondering why nobody has ever created a shell for pf so that you >> could manipulate it in a way similar to JunOS instead of editing >> pf.conf. Also show / monitor commands. Hierarchical edit mode, stuff >> like that. > > Because pf does not follow the configuration model of a switch or > router, or other such device, which have much simpler configuration. > > pf is capable of doing things *much much more complex*. > > If you spent 1 hour trying to build what you wonder about, rather than > writing such a mail, you would begin to understand the problem.
