OpenBSD yeni surumu olan 4.1 cikmasiyla beraber kullanabilecegimiz PF'in yeni ozellikleri su sekilde belirtilmis.

* pass kurallarinda keep state varsayilan olarak geliyor

* Ayni sekilde flags S/SA varsayilan olarak gelenler arasinda

* kural optimizasyonu pf.conf icin etkinlestirilebiliyor.

.....


Each release since 3.0 has included exciting updates to PF. OpenBSD 4.1 is no different. From enabling keep state and flags S/SA by default, to further synchronizing pfctl command line options with what can be done inside pf.conf, to greater logging flexability and improved anchor support, the PF development team continues to expand PF's usability and functionality. Read on for more information about each of the PF updates.

keep state now default The default action with pass rules is to keep state. To prevent keeping state on a rule, use no state: "pass on $vpn_if all no state". To apply options like max, max-src-conn-rate and max-src-states, you must explicitly specify keep state. flags S/SA now default For stateful TCP connections, S/SA are the default flags checked. From the man page, "out of SYN and ACK, exactly SYN may be set." To override this behavior and not check TCP flags, use "flags any". The ruleset optimiser can be enabled in pf.conf(5) set ruleset-optimization basic is the default behavior for pf: duplicate rules are removed, rules that are a subset of another rule are removed, multiple rules are combined into a table when advantageous and rules are reordered to improve performance. Other options besides "basic" are "none" and "profile". See pf.conf(5) for more information. pfctl(8) command line options can override what is specified in pf.conf (pfctl -o none). pfctl(8) can now expire table entries pfctl -t badssh -T expire 86400 will expire table entries either 86400 seconds old or 86400 seconds since the last time its statistics were cleared. hoststated(8) is a NEW load balancing daemon at layers 3 & 7 hoststated does load balancing by keeping pf tables and rdr rules up to date. Rulesets are managed through the rdr-anchor "hoststated/*" anchor. See hoststated.conf(5) for configuration information and hoststatectl(8) for control information. pflog(4) is clonable After creating additional pflog interfaces (using ifconfig), rules can specify which pflog interface to use: "pass out log to pflog1 on $ext_if to port smtp". This will log traffic sent to SMTP servers to a different log interface than the default. pflogd(8) and spamlogd(8) (spamlogd -l pflog1) can now be told which pflog interface to work with. pfsync(4) is clonable as well This enables pfsync0 to only exist if needed. Anchors can be loaded inline in the main pf.conf(5) Previously, anchors were loaded from external files (load anchor foo from "/etc/pf-foo.conf") or through pfctl(8), ftp-proxy(8) or authpf(8). Filter anchors can now be loaded inline within a brace delimited block (from pf.conf(5): anchor "external" on egress { block anchor out { pass proto tcp from any to port { 25, 80, 443 } } pass in proto tcp to any port 22 } Anchors can also be recursively printed with pfctl(8): pfctl -a 'authpf/*' -sr (which prints the authpf ruleset recursively). Rules inside anchors can have their counters reset. pf(4) can select between multiple routing tables The route(8) command (and the routing daemons) can be told which routing table to modify: route -n -T1 add -inet 10.8.8.0/24 10.1.1.1. Rules can be written to take advantage of specific routing tables: pass in on $ext_if from $companyA rtable 1. kaynak : http://undeadly.org/cgi?action=article&sid=20070424020008
-- Bâkır EMRE I. Türkiye BSD Konferansı http://www.bsdcontr.org