From owner-freebsd-current@FreeBSD.ORG Tue Nov 20 14:16:56 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 01C6CADB; Tue, 20 Nov 2012 14:16:55 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id CE1D88FC14; Tue, 20 Nov 2012 14:16:55 +0000 (UTC) Received: from [10.0.10.3] ([173.88.197.103]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 20 Nov 2012 06:16:57 -0800 Message-ID: <50AB90DA.4010404@a1poweruser.com> Date: Tue, 20 Nov 2012 09:16:58 -0500 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Olivier Smedts Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. (Copied from freebsd-pf) References: <20121120121333.GB88593@in-addr.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 20 Nov 2012 14:16:57.0183 (UTC) FILETIME=[B2D9FEF0:01CDC729] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: Gary Palmer , Paul Webster , freebsd-current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 14:16:56 -0000 Olivier Smedts wrote: > 2012/11/20 Gary Palmer : >> On Tue, Nov 20, 2012 at 11:43:04AM +0100, Olivier Smedts wrote: >>> 2012/11/20 Paul Webster : >>>> I am aware this is a much discussed subject since the upgrade of PF, I >>>> believe the final decision was that to many users are used to the old >>>> style pf and an upgrade to the new syntax would cause to much confusion. >>> But a change like this is expected in a new major branch, ie. >>> 10-CURRENT. Not so in -STABLE branches of course. I don't see the >>> problem here. >> So you don't expect people to upgrade boxes in place? > > I expect that before upgrading to a *major* version you should read an > updating or "what's changed" documentation. > >> I also guess you've never been 5,000 miles away from a box and typo'd something >> in the firewall and locked yourself out. The think how tons of FreeBSD >> users would feel if the default pf syntax was changed to be incompatible and >> they find themselves in a similar situation after an upgrade. Defaulting to >> open, while it could solve the problem (although I would suspect there could >> be edge cases where it doesn't), could be bad for other reasons. > > This already happened to me but, no, not during a major upgrade > because I won't do this kind of work without at least someone on-site. > >> The other question that I haven't seen answered (or maybe even asked), but >> is relevant: what do we gain by going to a later version of pf? I.e. as an >> administrator, what benefit do I get by having to expend effort converting >> my filter rules? >> >> Gary > > At some time we'll surely *have* to upgrade our pf, because the legacy > version won't be supported upstream. I say that a major release is the > most appropriated place for such a change. > > Another question : how did OpenBSD managed this change ? > > Cheers > Hay I have been down this road myself. It's no longer possible to just re-port the current OpenBSD version of PF to FreeBSD. The FreeBSD version has been rewritten. Read all the threads shown in this post for all the gory details. [HEADS UP] merging projects/pf into head http://lists.freebsd.org/pipermail/freebsd-pf/2012-September/006740.html