From owner-freebsd-pf@FreeBSD.ORG Mon Jan 10 11:07:08 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 36714106571D for ; Mon, 10 Jan 2011 11:07:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2442A8FC14 for ; Mon, 10 Jan 2011 11:07:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p0AB78om001841 for ; Mon, 10 Jan 2011 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p0AB77BP001838 for freebsd-pf@FreeBSD.org; Mon, 10 Jan 2011 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 10 Jan 2011 11:07:07 GMT Message-Id: <201101101107.p0AB77BP001838@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2011 11:07:08 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 46 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Jan 12 03:20:52 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B0B4106564A for ; Wed, 12 Jan 2011 03:20:52 +0000 (UTC) (envelope-from lists@stringsutils.com) Received: from manuel.natserv.net (p65-147.acedsl.com [66.114.65.147]) by mx1.freebsd.org (Postfix) with ESMTP id CE0028FC18 for ; Wed, 12 Jan 2011 03:20:51 +0000 (UTC) Received: from shelca (zoraida.natserv.net [66.114.65.147]) by manuel.natserv.net (Postfix) with ESMTP id B4ED9F927 for ; Tue, 11 Jan 2011 22:05:34 -0500 (EST) Message-ID: X-Mailer: http://www.courier-mta.org/cone/ From: Francisco Reyes To: freebsd-pf@freebsd.org Date: Tue, 11 Jan 2011 22:05:34 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="US-ASCII" Content-Disposition: inline Content-Transfer-Encoding: 7bit Subject: Nat + static routes using PF? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2011 03:20:52 -0000 I am trying to setup a machine as a gateway. The current setup is: T1 192.168.1.1 | | ---> Switch <--- users in 192.168.1.0/24 | | --\ FreeBSD Machine --/ | | Time Warner 192.168.0.1 I am trying to get most of the traffic to go through Time Warner so I set that as the default gateway. I then have a handfull of static routes I setup and want to go through the T1. I modified the setup at this URL http://www.bsdguides.org/guides/freebsd/networking/ho_router_pf.php and so far have the /etc/pf.conf below. Machines in the 192.168.1.0/24 subnet are going through Time Warner, but the static routes are failing. Do I need rules for the T1's IP? Current setup: ### macros # internal and external interfaces (run 'ifconfig' to find interfaces) int_if = "em0" ext_if = "re0" # ping requests icmp_types = "echoreq" ### options set loginterface $ext_if set skip on lo0 ### Scrub scrub in all ### nat/rdr # NAT traffic from internal network to external network through external # interface nat on $ext_if from $int_if:network to any -> ($ext_if) # allow in ping replies pass in inet proto icmp all icmp-type $icmp_types keep state # allow all traffic from internal network to internal interface pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state # allow all traffic out via external interface pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state Any pointers greatly appreciated. From owner-freebsd-pf@FreeBSD.ORG Thu Jan 13 06:11:12 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA10B1065675 for ; Thu, 13 Jan 2011 06:11:12 +0000 (UTC) (envelope-from anarcat@anarcat.ath.cx) Received: from anarcat.ath.cx (H144.C72.B0.tor.eicat.ca [72.0.72.144]) by mx1.freebsd.org (Postfix) with ESMTP id 958048FC0C for ; Thu, 13 Jan 2011 06:11:12 +0000 (UTC) Received: by anarcat.ath.cx (Postfix, from userid 1000) id 76A4A240E6; Thu, 13 Jan 2011 00:51:36 -0500 (EST) Date: Thu, 13 Jan 2011 00:51:36 -0500 From: The Anarcat To: freebsd-pf@freebsd.org Message-ID: <20110113055136.GU24439@anarcat.ath.cx> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="L46vHWpLfEKD8KlK" Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Subject: long term maintenance of pf in FreeBSD (AKA where's pf 4.7?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2011 06:11:12 -0000 --L46vHWpLfEKD8KlK Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! I have digged into the archive after reading in the handbook that pf is stuck at OpenBSD's 4.1 version, which is now quite old (may 2007). I have found this thread mentionning testing required for a patch: http://lists.freebsd.org/pipermail/freebsd-pf/2010-October/005842.html =2E.. it then seemed the patch had some issues: http://lists.freebsd.org/pipermail/freebsd-pf/2010-October/005860.html Others have raised a similar issue about backporting 4.7 into FreeBSD: http://lists.freebsd.org/pipermail/freebsd-pf/2010-October/005862.html For context, OpenBSD 4.7 (may 2010) is the last significant release including changes in pf: http://openbsd.org/47.html#new So my question is: what's the plan? Is anybody actively maintaining pf in FreeBSD at this point? Is it because the backporting process is painful that it's not being done regularly? Or is it only because of the lack of testers? A. PS: I ask because we're considering switching our routers from OpenBSD to FreeBSD to ease maintenance (yay freebsd-update) but the outdated pf version is a serious hindrance as we're looking at using the new 'sloppy' state tracking mecanisms PPS: please CC, i'm not on the list (yet?) --=20 Antoine Beaupr=E9 R=E9seau Koumbit Networks +1.514.387.6262 --L46vHWpLfEKD8KlK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJNLpLnAAoJEHkhUlJ7dZIe72YP/i2GMJu7EfRlctLKCfRKNffG teTw9zzlskck1DuXjEShQpoh/Alp+1z6Whz0JsMcC4jbn/Nffb9CiSOH17qrq+tx MvKmGtAbnwRuXb16yIVPceblTLMP/CbPsg8z99HMCobs0tyfE3axtFK4Sb2od8d/ lap/2vNW/B0WxDuyMr5iq2S1KrGkT99a6Txhq04Tw5QNaUAiOG/VwavmkHofTLSy f4rUChGIqmv6wtC25M1EPLp+4U2VdyGKiQw9zh2Z3drp53nvg2bxBckB+kAtzf6P /Ht9TE/yp5S+EEhyTAi+dCxwYtlH0JdjKOjtDBWwbmwh2nRVXud/WCgS8XCnu9l+ PKKuXhdHvBEdU5iWqCiwNm/kHRxXtx2Xgl2T0UCphjLHeIxzo9oXrc/NZi/lzsnB yp6AvUYDGODufc+8b9+YKJr2ONnn1KmQUShK0hWUVS2UjA1Bjpob0fyFj812vkDV J+Eu+3CocgTLlBZy5tRZAJ3x8JL/L9bMYN5mkBPNxcEMZkQIhimEiPB2Z/sSWVxm sk6jtPi/4Gt+0w8po+ZKSBd0UFztz72Tz8XW2FiIL7uwPzjEtA5s/clSbemMPDTQ quBDW/cHUbMD7uw7OYLYNOsZqOuvHNLyWfnCQcRlALt3UOgD8NK9rriEhZka2Hja pWg/3PB8WhVEAPRKrtNa =E9lj -----END PGP SIGNATURE----- --L46vHWpLfEKD8KlK-- From owner-freebsd-pf@FreeBSD.ORG Thu Jan 13 17:01:39 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D01E1065697 for ; Thu, 13 Jan 2011 17:01:39 +0000 (UTC) (envelope-from hvb@dsms.com) Received: from smtp.dsms.com (smtp.dsms.com [199.89.215.252]) by mx1.freebsd.org (Postfix) with ESMTP id C71FD8FC13 for ; Thu, 13 Jan 2011 17:01:38 +0000 (UTC) Received: from smtp.dsms.com (localhost [127.0.0.1]) by smtp.dsms.com (Postfix) with ESMTP id 99E54E0448; Thu, 13 Jan 2011 08:44:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=dsms.com; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s= --selector=20080101; bh=TP74o7NJI6STLsqG7TY/ZP0HBvo=; b=mHG1RH06 m70xtXnFlhENxoBTvY1xZ367ublWamaXJQ/hLpG7qO0twpNs4VvT6JZVPV9lpOSK sB2MpuWjsb5bp3PKJTTT8aPfZh4pcPrTyRllCYPZBBvtfD5b1xiJJfetijYIUol/ G8mZrqJdZYqhg+Gikia4S0NwcMJGs5A7szc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=dsms.com; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; q=dns; s= --selector=20080101; b=zZbwru5QJNijcR8mBkpQ/fcZZZ8fRP+kyHcSXMUSA 92uMYgWtHzHUnl//luftzpA5oxF4Im7o0bvcFxdKG1GqWfq05lQ1aku3se91zZfl HNyOYVIbY4c2geOZNCJ2EeoGcQAvCxg9YI26fJuN6pnzNxnfJ+vjpiEfia+mQMkY gY= Received: from dragonfly.mac.sjc.dsms.com (dragonfly.mac.sjc.dsms.com [199.89.215.177]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: hvb) by smtp.dsms.com (Postfix) with ESMTPSA id 770ECE0442; Thu, 13 Jan 2011 08:44:57 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=iso-8859-1 From: harold barker In-Reply-To: <20110113055136.GU24439@anarcat.ath.cx> Date: Thu, 13 Jan 2011 08:44:56 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <431D5E6B-E1B2-46EB-BEBD-540AEC889328@dsms.com> References: <20110113055136.GU24439@anarcat.ath.cx> To: The Anarcat X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@freebsd.org Subject: Re: long term maintenance of pf in FreeBSD (AKA where's pf 4.7?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2011 17:01:39 -0000 I like and use PF on FreeBSD. I would greatly appreciate someone = committing to more then a wham bam thank you madam port. I am willing = to put some money in the pot. =20 On Jan 12, 2011, at 21:51, The Anarcat wrote: > Hi! >=20 > I have digged into the archive after reading in the handbook that pf = is > stuck at OpenBSD's 4.1 version, which is now quite old (may 2007). >=20 > I have found this thread mentionning testing required for a patch: >=20 > http://lists.freebsd.org/pipermail/freebsd-pf/2010-October/005842.html >=20 > ... it then seemed the patch had some issues: >=20 > http://lists.freebsd.org/pipermail/freebsd-pf/2010-October/005860.html >=20 > Others have raised a similar issue about backporting 4.7 into FreeBSD: >=20 > http://lists.freebsd.org/pipermail/freebsd-pf/2010-October/005862.html >=20 > For context, OpenBSD 4.7 (may 2010) is the last significant release > including changes in pf: >=20 > http://openbsd.org/47.html#new >=20 > So my question is: what's the plan? Is anybody actively maintaining pf > in FreeBSD at this point? >=20 > Is it because the backporting process is painful that it's not being > done regularly? >=20 > Or is it only because of the lack of testers? >=20 > A. >=20 > PS: I ask because we're considering switching our routers from OpenBSD > to FreeBSD to ease maintenance (yay freebsd-update) but the outdated = pf > version is a serious hindrance as we're looking at using the new > 'sloppy' state tracking mecanisms >=20 > PPS: please CC, i'm not on the list (yet?) >=20 > --=20 > Antoine Beaupr=E9 > R=E9seau Koumbit Networks > +1.514.387.6262 From owner-freebsd-pf@FreeBSD.ORG Fri Jan 14 02:40:42 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9A911065674 for ; Fri, 14 Jan 2011 02:40:42 +0000 (UTC) (envelope-from anarcat@anarcat.ath.cx) Received: from anarcat.ath.cx (H144.C72.B0.tor.eicat.ca [72.0.72.144]) by mx1.freebsd.org (Postfix) with ESMTP id B42688FC18 for ; Fri, 14 Jan 2011 02:40:42 +0000 (UTC) Received: by anarcat.ath.cx (Postfix, from userid 1000) id AA096240EA; Thu, 13 Jan 2011 21:40:41 -0500 (EST) Date: Thu, 13 Jan 2011 21:40:41 -0500 From: The Anarcat To: freebsd-pf@freebsd.org Message-ID: <20110114024041.GN24439@anarcat.ath.cx> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4QsEYJIjMB+yaydW" Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Subject: default ALTQ support in the GENERIC kernel? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2011 02:40:43 -0000 --4QsEYJIjMB+yaydW Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Is there any chance FreeBSD would take the path Dragonfly has taken here: http://leaf.dragonflybsd.org/mailarchive/commits/2010-08/msg00020.html =2E.. and enable ALTQ by default in the GENERIC kernel? The patch is trivial, and would help ton of users that, while they can load pf as a module, can't load ALT as such... http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/4e05246291da1b32542= 1295bcfcc7763cd96d52e Thanks! PS: seems like I should subscribe to this list, considering the noise I bring, but that's not done yet, so please CC :) --=20 Antoine Beaupr=E9 R=E9seau Koumbit Networks +1.514.387.6262 --4QsEYJIjMB+yaydW Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJNL7eoAAoJEHkhUlJ7dZIezVUP/Rv9uvrHsV+A2IVnyWiYNlkn FiP8MF8gkNSsWzz4AkDtP7RplfaIk66Ta2XFM/3Ftok6AA5GJcFvXMgXT2jgDKuH G+hcAze9Qf0UR8NVq60ESumsyrsUvt34mdi5+AV+K90iflUiMhMo2K4Wa6O/JRkB JuIQJI2tINs+jyRCRImUWOfXoLwNt3UFUkcqgmAPDLKyXJ5j3DzjzXoH5emmw0Tl GInCoZ+C4CTzy8GaxBQ7mGhd31qAhsG5DGbxiO2ErkKKTFfPsFXPD0SUWHzqDzWL bufp4wiPTeZ1XcKHg6CagjTgQOsY8ezrSce0VN2b0N3Hpxc7MznFlPmnfBLLFDkj 9Q2qlD7+VJrCyV6BAkJvQXClx1z5OXmrlDfegzOmAZBWuBWu+jGcg2aOzzPmNtox PneS+v218PCroaW3rRH6n+p4FzVhQTbyOhGrY9JkTCpks+cYYtmBT0WnRKKF0w76 p7W1cjuuT7f16fGJzVsukC8c1HSnZ5KF6bZNp7I9N5sgeHzEzIqyF12HbCVI8wbn DfBG4NoV3Yx3NMVC7lHs3KZ3mlTLiqMJ7WI1/QfModwfd9kRh1xcSOtTUNOs0Nta NXKlxZtZRm95y4yYb3YQAVCcjSY3ZY2ln0ZMAjbg3NW+06KV7iin8Zug9vhFeT/c KfSimtx9RVawl7St9GGK =5Yjt -----END PGP SIGNATURE----- --4QsEYJIjMB+yaydW-- From owner-freebsd-pf@FreeBSD.ORG Fri Jan 14 03:48:27 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81E861065670 for ; Fri, 14 Jan 2011 03:48:27 +0000 (UTC) (envelope-from anarcat@anarcat.ath.cx) Received: from anarcat.ath.cx (H144.C72.B0.tor.eicat.ca [72.0.72.144]) by mx1.freebsd.org (Postfix) with ESMTP id 4AEDD8FC18 for ; Fri, 14 Jan 2011 03:48:26 +0000 (UTC) Received: by anarcat.ath.cx (Postfix, from userid 1000) id 2A6C5240EA; Thu, 13 Jan 2011 22:48:26 -0500 (EST) Date: Thu, 13 Jan 2011 22:48:25 -0500 From: The Anarcat To: Chris Buechler Message-ID: <20110114034825.GO24439@anarcat.ath.cx> References: <20110113055136.GU24439@anarcat.ath.cx> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="SgR4YW6WQIozkX1v" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Cc: harold barker , freebsd-pf@freebsd.org Subject: Re: long term maintenance of pf in FreeBSD (AKA where's pf 4.7?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2011 03:48:27 -0000 --SgR4YW6WQIozkX1v Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Thanks for sharing the state of affairs! As I have said to Ermal privately, I am really glad to hear things are still moving ahead. I fully understand the need to avoid breaking backward compatibility on the 8.x branch, that makes perfect sense, and I'm quite happy to not see the rug be pulled out from under our legs like this. :) I can't congratulate you enough for your work on pfSense and your contribution back to the FreeBSD project, I am sure this is really appreciated by a lot of people. It is, at least, by me and our team at Koumbit. Thank you again! A. --=20 Antoine Beaupr=E9 R=E9seau Koumbit Networks +1.514.387.6262 --SgR4YW6WQIozkX1v Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJNL8eIAAoJEHkhUlJ7dZIeI7AQAINkHINmQZLCZwrD2xzKe45w JMA1+zYWydzVTIEmWJBtaVCE5Pg0iYjgIuz5R+Ca5G81dN6gzyHxm+vCCnXCjY68 kmOLczZQCO0WHuyqGDSSFOfo3rsSynAKf6ZMq9ERLrSbDfpIEwKjfsPCHQDsp8Af N7s8M+QwIbRf0hLdhQYB/yB8Kv7JrmNX02Y+60Vij4dQKF/9Kf7HK0VAqhgnlhKz dQ2WiOAmevKX6yyVHRcVP952eebOetXX9swH76xHbzV5S4d3ph5UQDb78zv1Pm8+ pWhzsk4xccPnOeqGX5OfzQA293IWY3GMNltxOdtoKtYDg17L6FhUwJ31iVq8aR5K 0Sagjw1KsxY2pj2dkVUQtTD/wFYpboP/OSVAV+qZmPVz1L1makabU9XD3n+XVknM R+v8JkDO8ESfOq16jgXcyX4uZP/gt7AqGRH4XoOX3hZyBPB5JiyLxh+bGwpBLbsB bqNN+PbS4DeppBpTjIRc66q6SGbvYosep+BPxwd+pLbB/MFtiU9lZ/HnN0ImtRza JOrRV4tpiZOuATnE61fKJHRpluu36JRYJ/QMb04p6YCa54U7ESXhJN6DYyf1mK7U 43lXfWn6dv0q34h+99Z19E8k7UdYrw3ZsiQYkGg+Z8XzPSdphCaqUGmKYnY/ed4S ECHxOAZFzbS8nhMeXzvM =MkV7 -----END PGP SIGNATURE----- --SgR4YW6WQIozkX1v-- From owner-freebsd-pf@FreeBSD.ORG Fri Jan 14 03:53:24 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B85E106564A for ; Fri, 14 Jan 2011 03:53:24 +0000 (UTC) (envelope-from cmb@pfsense.org) Received: from mail.pfsense.org (mail.pfsense.org [69.64.6.29]) by mx1.freebsd.org (Postfix) with ESMTP id 60FA48FC08 for ; Fri, 14 Jan 2011 03:53:24 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.pfsense.org (Postfix) with ESMTP id EDBE1209FE for ; Thu, 13 Jan 2011 22:34:17 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.pfsense.org Received: from mail.pfsense.org ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ln825t642OC for ; Thu, 13 Jan 2011 22:34:15 -0500 (EST) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mail.pfsense.org (Postfix) with ESMTPSA id 3A2371FB82 for ; Thu, 13 Jan 2011 22:34:15 -0500 (EST) Received: by fxm16 with SMTP id 16so2472464fxm.13 for ; Thu, 13 Jan 2011 19:34:13 -0800 (PST) Received: by 10.223.98.204 with SMTP id r12mr186842fan.102.1294976053777; Thu, 13 Jan 2011 19:34:13 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.93.193 with HTTP; Thu, 13 Jan 2011 19:33:52 -0800 (PST) In-Reply-To: <20110113055136.GU24439@anarcat.ath.cx> References: <20110113055136.GU24439@anarcat.ath.cx> From: Chris Buechler Date: Thu, 13 Jan 2011 22:33:52 -0500 Message-ID: To: The Anarcat , harold barker Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: long term maintenance of pf in FreeBSD (AKA where's pf 4.7?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2011 03:53:24 -0000 On Thu, Jan 13, 2011 at 12:51 AM, The Anarcat wrote: > Hi! > > I have digged into the archive after reading in the handbook that pf is > stuck at OpenBSD's 4.1 version, which is now quite old (may 2007). > > I have found this thread mentionning testing required for a patch: > > http://lists.freebsd.org/pipermail/freebsd-pf/2010-October/005842.html > > ... it then seemed the patch had some issues: > > http://lists.freebsd.org/pipermail/freebsd-pf/2010-October/005860.html > > Others have raised a similar issue about backporting 4.7 into FreeBSD: > > http://lists.freebsd.org/pipermail/freebsd-pf/2010-October/005862.html > > For context, OpenBSD 4.7 (may 2010) is the last significant release > including changes in pf: > The first post in the above thread says why the next import into FreeBSD will be 4.5, breaking your ruleset by upgrading your OS is being avoided for now. > So my question is: what's the plan? Is anybody actively maintaining pf > in FreeBSD at this point? > It's a lot of work, Max who did the original port hasn't had time to maintain it, but Ermal Luci is picking up maintainership. The plan discussed at the FreeBSD dev summit at EuroBSDCon last year is the 4.5 PF will be imported for FreeBSD 9, and from there options will be considered for the path forward. > PS: I ask because we're considering switching our routers from OpenBSD > to FreeBSD to ease maintenance (yay freebsd-update) but the outdated pf > version is a serious hindrance as we're looking at using the new > 'sloppy' state tracking mecanisms > Note there is a patch to add sloppy state tracking to FreeBSD 8.1, pfSense uses it, you can find the patches in the tools repo at rcs.pfsense.org. Of course using a kernel patch rules out using freebsd-update though. On Thu, Jan 13, 2011 at 11:44 AM, harold barker wrote: > > I like and use PF on FreeBSD. =A0I would greatly appreciate someone commi= tting to more then a wham bam thank you madam port. =A0I am willing to put = some > money in the pot. Ermal will be putting more time in it early this year, he makes a living working on pfSense, as well as the rest of our staff who make a living on the project helping with testing and related things. Though part of that depends on us having funding available to cover salaries for the time put into projects and at this point we don't have anyone looking to fund that time. We cut as good of a deal as we can on open source work, just covering our own costs, and probably losing money on this one as we're going to make it happen regardless as long as we don't have to take too big of a hit on it. We're consumed with other projects at this instant but will be looking at this again soon. Chris From owner-freebsd-pf@FreeBSD.ORG Fri Jan 14 15:03:56 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9AB7106564A for ; Fri, 14 Jan 2011 15:03:56 +0000 (UTC) (envelope-from danger@FreeBSD.org) Received: from services.syscare.sk (services.syscare.sk [188.40.39.36]) by mx1.freebsd.org (Postfix) with ESMTP id 60B808FC17 for ; Fri, 14 Jan 2011 15:03:56 +0000 (UTC) Received: from services.syscare.sk (services [188.40.39.36]) by services.syscare.sk (Postfix) with ESMTP id B5A9170CD7; Fri, 14 Jan 2011 15:46:54 +0100 (CET) X-Virus-Scanned: amavisd-new at rulez.sk Received: from services.syscare.sk ([188.40.39.36]) by services.syscare.sk (services.rulez.sk [188.40.39.36]) (amavisd-new, port 10024) with ESMTP id ZtzUcuQQF0kg; Fri, 14 Jan 2011 15:46:52 +0100 (CET) Received: from hosting.syscare.sk (hosting [188.40.39.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by services.syscare.sk (Postfix) with ESMTPS id 9C79170CC4; Fri, 14 Jan 2011 15:46:52 +0100 (CET) Received: (from www@localhost) by hosting.syscare.sk (8.14.4/8.14.4/Submit) id p0EEkqZ4041248; Fri, 14 Jan 2011 15:46:52 +0100 (CET) (envelope-from danger@FreeBSD.org) X-Authentication-Warning: hosting.syscare.sk: www set sender to danger@FreeBSD.org using -f To: Chris Buechler X-PHP-Originating-Script: 80:func.inc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Date: Fri, 14 Jan 2011 15:46:52 +0100 From: Daniel Gerzo Organization: The FreeBSD Project In-Reply-To: References: <20110113055136.GU24439@anarcat.ath.cx> Message-ID: <8897f703b4c3c09b8c061a1f46ae658b@services.syscare.sk> X-Sender: danger@FreeBSD.org User-Agent: RoundCube Webmail Cc: harold barker , The Anarcat , freebsd-pf@FreeBSD.org Subject: Re: long term maintenance of pf in FreeBSD (AKA where's pf 4.7?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2011 15:03:56 -0000 On Thu, 13 Jan 2011 22:33:52 -0500, Chris Buechler wrote: > > Note there is a patch to add sloppy state tracking to FreeBSD 8.1, > pfSense uses it, you can find the patches in the tools repo at > rcs.pfsense.org. Of course using a kernel patch rules out using > freebsd-update though. Not the official path, but it is actually possible to build your own freebsd-update server with your own distribution. There is a nice article out there covering the whole process, but unfortunately, it still didn't hit our articles collection. I hope there will be someone able to work on it. -- Kind regards Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Jan 14 18:11:09 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2AB8106564A for ; Fri, 14 Jan 2011 18:11:09 +0000 (UTC) (envelope-from anarcat@anarcat.ath.cx) Received: from anarcat.ath.cx (H144.C72.B0.tor.eicat.ca [72.0.72.144]) by mx1.freebsd.org (Postfix) with ESMTP id 8377D8FC16 for ; Fri, 14 Jan 2011 18:11:08 +0000 (UTC) Received: by anarcat.ath.cx (Postfix, from userid 1000) id 8D6B4240EC; Fri, 14 Jan 2011 13:11:07 -0500 (EST) Date: Fri, 14 Jan 2011 13:11:07 -0500 From: The Anarcat To: Daniel Gerzo Message-ID: <20110114181107.GU24439@anarcat.ath.cx> References: <20110113055136.GU24439@anarcat.ath.cx> <8897f703b4c3c09b8c061a1f46ae658b@services.syscare.sk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dv+7Y1Jmnoh5Cnne" Content-Disposition: inline In-Reply-To: <8897f703b4c3c09b8c061a1f46ae658b@services.syscare.sk> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Chris Buechler , harold barker , freebsd-pf@FreeBSD.org Subject: freebsd-update for custom builds X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2011 18:11:09 -0000 --dv+7Y1Jmnoh5Cnne Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 14, 2011 at 03:46:52PM +0100, Daniel Gerzo wrote: > Not the official path, but it is actually possible to build your own > freebsd-update server with your own distribution. > There is a nice article out there covering the whole process, but > unfortunately, it still didn't hit our articles collection. > I hope there will be someone able to work on it. Is there an URL for the unofficial article for now? --=20 Antoine Beaupr=E9 R=E9seau Koumbit Networks +1.514.387.6262 --dv+7Y1Jmnoh5Cnne Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJNMJG6AAoJEHkhUlJ7dZIeuIEP/2J29TsTaU1IDE0iMpTOxs22 PhXx1oMDuMvHRyEs2n4w1S0nDIons6LOmF05YICIUUV8axYdVXbFpds1mvlLo7sq veJSqXLX9iHoy13dczttgADfOLygCZ3eIj+QSRC4oiFE4w3nvUSZuSQJPpJgHUM3 9DOdYzY8lEhZrWUn/EpuiI5r1ccUMVk7KTjjO7d85zJNDGBIKJJD+OTi5evySToz tjqyz8/fBxgC95vWeI3ishYvdEWRdXBDVV4VvCX/fzi0OD8h07bMTwv2iaKVvrwa T5pP19SojYj6rqz5kv7bJg5IABAGJflo2x9r3h4GlT8Pwcx4Eyn0QieJkKGMHNvj KFBFyYT68Y2S6+4SbwOv/pkqzW/SUXSEVK7w21fMs5qPuds0Gkn3SDm0DcYIMiqZ 1YR130rBWcpfDSIkP8CrYKLbbKb+LXEANJ/NO2eTcrzbYCXsptAdjSmzCAmzH3t2 djUodfP2OlBHnLwr2SljrSITdFi9NyONRwz2I82784HmEK/PPINFQgaCbmAsQCGs knVciZ8B/pblzmBv0eNwSSacyAGKu2Ukgl/czXtyKhp3xATyuLkiv4koMQXjuxDz y5Z+qW0ZqV+hLg7xKOoSHBwYeTZSqCT420VWO9D408iuFHKkslpCvo2xmyn8bQ9r rd9KBKGcy5jrz98uG35O =Vcol -----END PGP SIGNATURE----- --dv+7Y1Jmnoh5Cnne-- From owner-freebsd-pf@FreeBSD.ORG Sat Jan 15 00:33:37 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4F2C106566C for ; Sat, 15 Jan 2011 00:33:37 +0000 (UTC) (envelope-from lists@stringsutils.com) Received: from manuel.natserv.net (p65-147.acedsl.com [66.114.65.147]) by mx1.freebsd.org (Postfix) with ESMTP id 66F1D8FC14 for ; Sat, 15 Jan 2011 00:33:37 +0000 (UTC) Received: from shelca (zoraida.natserv.net [66.114.65.147]) by manuel.natserv.net (Postfix) with ESMTP id 2AEB3F9C5; Fri, 14 Jan 2011 19:33:36 -0500 (EST) References: <20110113055136.GU24439@anarcat.ath.cx> Message-ID: X-Mailer: http://www.courier-mta.org/cone/ From: Francisco Reyes To: Chris Buechler Date: Fri, 14 Jan 2011 19:33:36 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="US-ASCII" Content-Disposition: inline Content-Transfer-Encoding: 7bit Cc: harold barker , The Anarcat , freebsd-pf@freebsd.org Subject: Re: long term maintenance of pf in FreeBSD (AKA where's pf 4.7?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Jan 2011 00:33:37 -0000 Chris Buechler writes: > living working on pfSense, as well as the rest of our staff who make a > living on the project helping with testing and related things. Though > part of that depends on us having funding available to cover salaries Why not propose the work to the FreeBSD foundation? http://freebsdfoundation.org January 2011 We are pleased to announce a call for project proposals. We will accept proposals until February 15th. Please read Project Proposal Prodecures to find out what needs to be included in your proposal. From owner-freebsd-pf@FreeBSD.ORG Sat Jan 15 10:28:48 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22CD4106566C for ; Sat, 15 Jan 2011 10:28:48 +0000 (UTC) (envelope-from danger@FreeBSD.org) Received: from services.syscare.sk (services.syscare.sk [188.40.39.36]) by mx1.freebsd.org (Postfix) with ESMTP id D14F48FC0C for ; Sat, 15 Jan 2011 10:28:47 +0000 (UTC) Received: from services.syscare.sk (services [188.40.39.36]) by services.syscare.sk (Postfix) with ESMTP id D5F097166A; Sat, 15 Jan 2011 11:28:46 +0100 (CET) X-Virus-Scanned: amavisd-new at rulez.sk Received: from services.syscare.sk ([188.40.39.36]) by services.syscare.sk (services.rulez.sk [188.40.39.36]) (amavisd-new, port 10024) with ESMTP id 8sCNSEI1v0EU; Sat, 15 Jan 2011 11:28:44 +0100 (CET) Received: from danger-mbp.local (adsl-dyn11.78-98-106.t-com.sk [78.98.106.11]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: danger@rulez.sk) by services.syscare.sk (Postfix) with ESMTPSA id B4EC77165D; Sat, 15 Jan 2011 11:28:44 +0100 (CET) Message-ID: <4D3176DE.8040306@FreeBSD.org> Date: Sat, 15 Jan 2011 11:28:46 +0100 From: Daniel Gerzo Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14pre) Gecko/20110113 Lanikai/3.1.8pre MIME-Version: 1.0 To: The Anarcat References: <20110113055136.GU24439@anarcat.ath.cx> <8897f703b4c3c09b8c061a1f46ae658b@services.syscare.sk> <20110114181107.GU24439@anarcat.ath.cx> In-Reply-To: <20110114181107.GU24439@anarcat.ath.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Chris Buechler , harold barker , freebsd-pf@FreeBSD.org Subject: Re: freebsd-update for custom builds X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Jan 2011 10:28:48 -0000 On 14.1.2011 19:11, The Anarcat wrote: > On Fri, Jan 14, 2011 at 03:46:52PM +0100, Daniel Gerzo wrote: >> Not the official path, but it is actually possible to build your own >> freebsd-update server with your own distribution. >> There is a nice article out there covering the whole process, but >> unfortunately, it still didn't hit our articles collection. >> I hope there will be someone able to work on it. > > Is there an URL for the unofficial article for now? > http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_1941-Build-Your-Own-FreeBSD-Update-Server.html -- S pozdravom / Best regards Daniel Gerzo, FreeBSD committer