> 19. des. 2020 kl. 14:50 skrev Aham Brahmasmi <[email protected]>: >>> >> >> Always put your interfaces into groups. Identify based upon the groups. > > In case there are more such simple rules of thumb, could you please > share them?
I think that piece of advice is one of the more important ones you’re likely to get. Adding to that, in my experience, the important thing is to make your configurations as simple as possible but not simpler :) I would like to stress using pf.conf readability features as helpers to keeping your config maintainable, so * use service names when feasible instead of port numbers, * use tables for groups of IP addresses * use macros where they do help readability * write rules that specify only what would be deviation from the default (the defaults are, in general sane) * before actually loading a changed config, run pfctl -vnf /etc/pf.conf to se what *actually* loads That last one will among other things show you the result of the ruleset optimizer’s work, so when you see obviously generated table names, you likely have a set of rules that differ only in their source or destination address. That is a surprisingly frequent phenomenon, and for some reason more people than you would think are unaware that you can initialize a table or even load new content into one from a separate file. If you haven’t already, you might glean a few useful bits from going through the PF tutorial slides at https://home.nuug.no/~peter/pftutorial/ <https://home.nuug.no/~peter/pftutorial/> and links therein. All the best, Peter — Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
signature.asc
Description: Message signed with OpenPGP
