From owner-freebsd-security@FreeBSD.ORG Sun Mar 3 23:12:26 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 3479BB4F for ; Sun, 3 Mar 2013 23:12:26 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-ee0-f48.google.com (mail-ee0-f48.google.com [74.125.83.48]) by mx1.freebsd.org (Postfix) with ESMTP id AAE18DF6 for ; Sun, 3 Mar 2013 23:12:25 +0000 (UTC) Received: by mail-ee0-f48.google.com with SMTP id t10so3428360eei.7 for ; Sun, 03 Mar 2013 15:12:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=KYLRqnMHA4JpWyg5N20zS7dUR0DhFlp25Watd8zaOmA=; b=qYkNb2SfncszoDgvwgfnBq1Lw5yyg8IR0Kk3EFvLiFeCsPs5SAQWBdL6IFyIGWuQqK 7IQ+6STeD4oGW6UZG7Qf4vZU6h6RKU/mWTJhl9FE3V8dLT1Fr1aAaolqI3J3yPfsvFxl Dw6hLZZ8y+Ree0GkXtFNFKpE9vRKNWEhLL7cBE9bR93eeIJ9fsixBvhSjCcFc+eYwn7I 37qsM72xCTkZiKB5NYtHuGUKwTDBKakuwQ+nU8jNd/AooljGybCBAcC2iKRZKmZ0BePN bdoG3ikZ5+zdLQU+YwA8KiaWV6/gU7lgEgPlteTBzHt4kdsXopBmtN8xPlpGWLSVCFA6 q19Q== MIME-Version: 1.0 X-Received: by 10.15.101.204 with SMTP id bp52mr52367223eeb.31.1362352339107; Sun, 03 Mar 2013 15:12:19 -0800 (PST) Received: by 10.14.98.65 with HTTP; Sun, 3 Mar 2013 15:12:18 -0800 (PST) Date: Sun, 3 Mar 2013 18:12:18 -0500 Message-ID: Subject: Firewall Options From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Mar 2013 23:12:26 -0000 Are there plans to update ipfilter or pf to current versions? ipfilter is currently at 5.1.2, but the version in FreeBSD is 4.1.28 from 2007. On the pf side, the version in FreeBSD is 4.5, but the current version I would understand to be 5.2. The version in FreeBSD is pre-4.7, so much of the syntax in the current documentation is different and does not work in this older version. Is IPFW the only maintained firewall option, or is there a way to build either of the above as ports? From owner-freebsd-security@FreeBSD.ORG Mon Mar 4 14:12:57 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id CAD0AF71 for ; Mon, 4 Mar 2013 14:12:57 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id A29A31A8C for ; Mon, 4 Mar 2013 14:12:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Content-Transfer-Encoding:Mime-Version:Date:References:Subject:To:Content-Type; bh=Yz9LTvJPre7hg0TSSSkSUhLpewRwjpFTYhJL0RaQIdY=; b=EgXRUm72cLX5MrTCX1IxdwvAMMEHCV3bPn5V6AJJLQBo9JoTZMJcwVir3GGae/QDQZAvsvazhSJbwZyu4PfXynzUcfEz+UUkuRUFWa8jPalIzsrghNnIR5l8/fXjIT57; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1UCW8M-0003fc-7K; Mon, 04 Mar 2013 08:12:54 -0600 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpsa id 1362406368-4517-92584/5/1; Mon, 4 Mar 2013 14:12:48 +0000 Content-Type: text/plain; format=flowed; delsp=yes To: freebsd-security@freebsd.org, Robert Simmons Subject: Re: Firewall Options References: Date: Mon, 4 Mar 2013 08:12:48 -0600 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Mark Felder Message-Id: In-Reply-To: User-Agent: Opera Mail/12.13 (FreeBSD) X-SA-Report: ALL_TRUSTED=-1, KHOP_THREADED=-0.5 X-SA-Score: -1.5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 14:12:57 -0000 On Sun, 03 Mar 2013 17:12:18 -0600, Robert Simmons = =20 wrote: > Are there plans to update ipfilter or pf to current versions? > ipfilter is currently at 5.1.2, but the version in FreeBSD is 4.1.28 > from 2007. > > On the pf side, the version in FreeBSD is 4.5, but the current version > I would understand to be 5.2. The version in FreeBSD is pre-4.7, so > much of the syntax in the current documentation is different and does > not work in this older version. > > Is IPFW the only maintained firewall option, or is there a way to > build either of the above as ports? > It takes a *lot* of work to re-port packet filters to a different BSD =20 kernel and ensure everything works perfectly. We recently received a = nice =20 pf version bump with the release of 9.0 and it doesn't seem likely we'll = =20 see another soon. There is an SMP-friendly fork of pf in progress for =20 FreeBSD. It may very well turn out that FreeBSD's pf completely diverges = =20 from OpenBSD's permanently as OpenBSD has no interest in an SMP-friendly= =20 pf. http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html As for IPFW -- I honestly don't know. I can't remember the last time = there =20 was a major update of IPFW for FreeBSD. From owner-freebsd-security@FreeBSD.ORG Mon Mar 4 22:55:20 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CD30D17C for ; Mon, 4 Mar 2013 22:55:20 +0000 (UTC) (envelope-from koornstra@hp.com) Received: from g4t0015.houston.hp.com (g4t0015.houston.hp.com [15.201.24.18]) by mx1.freebsd.org (Postfix) with ESMTP id 96207153 for ; Mon, 4 Mar 2013 22:55:20 +0000 (UTC) Received: from G4W6310.americas.hpqcorp.net (g4w6310.houston.hp.com [16.210.26.217]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by g4t0015.houston.hp.com (Postfix) with ESMTPS id 5C25A85F0; Mon, 4 Mar 2013 22:35:48 +0000 (UTC) Received: from G9W3611.americas.hpqcorp.net (16.216.186.46) by G4W6310.americas.hpqcorp.net (16.210.26.217) with Microsoft SMTP Server (TLS) id 14.2.328.9; Mon, 4 Mar 2013 22:34:58 +0000 Received: from G9W0725.americas.hpqcorp.net ([169.254.8.216]) by G9W3611.americas.hpqcorp.net ([16.216.186.46]) with mapi id 14.02.0328.009; Mon, 4 Mar 2013 22:34:58 +0000 From: "Koornstra, Reinoud" To: Mark Felder , "freebsd-security@freebsd.org" , Robert Simmons Subject: RE: Firewall Options Thread-Topic: Firewall Options Thread-Index: AQHOGGSaV14s/s7GCUmh6k3dZ9J7tZiVk+kAgACKqsA= Date: Mon, 4 Mar 2013 22:34:58 +0000 Message-ID: <0EEF6678B3EEC94B9AE44705DF224D023697268C@G9W0725.americas.hpqcorp.net> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [15.201.58.14] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 04 Mar 2013 23:18:50 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 22:55:20 -0000 Hi Mark, Why not consider NPF from NetBSD where SMP friendly firewalling is a given. I do understand it'll cost lots of work too, but it might be more easy to m= aking pf SMP friendly. Then again, making software MPsafe and having it perform very well with SMP= are two different things. Considering NPF has been taking this into account from day one, performance= wise it might be best to consider NPF. Please note that I didn't say anything about the quality or functionality a= bout pf and npf. NPF was designed with performance in mind. Also I did not say anything about the memory usage and their efficiency in = that field. I feel I need to point these things about before I unintentionally offend s= ome people. Thanks, Reinoud. -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@fre= ebsd.org] On Behalf Of Mark Felder Sent: Monday, March 04, 2013 6:13 AM To: freebsd-security@freebsd.org; Robert Simmons Subject: Re: Firewall Options On Sun, 03 Mar 2013 17:12:18 -0600, Robert Simmons wrote: > Are there plans to update ipfilter or pf to current versions? > ipfilter is currently at 5.1.2, but the version in FreeBSD is 4.1.28=20 > from 2007. > > On the pf side, the version in FreeBSD is 4.5, but the current version=20 > I would understand to be 5.2. The version in FreeBSD is pre-4.7, so=20 > much of the syntax in the current documentation is different and does=20 > not work in this older version. > > Is IPFW the only maintained firewall option, or is there a way to=20 > build either of the above as ports? > It takes a *lot* of work to re-port packet filters to a different BSD kerne= l and ensure everything works perfectly. We recently received a nice pf ver= sion bump with the release of 9.0 and it doesn't seem likely we'll see anot= her soon. There is an SMP-friendly fork of pf in progress for FreeBSD. It m= ay very well turn out that FreeBSD's pf completely diverges from OpenBSD's= permanently as OpenBSD has no interest in an SMP-friendly pf. http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html As for IPFW -- I honestly don't know. I can't remember the last time there = was a major update of IPFW for FreeBSD. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/= listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Mar 5 14:45:34 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C943536F for ; Tue, 5 Mar 2013 14:45:34 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id 9802F3C8 for ; Tue, 5 Mar 2013 14:45:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Mime-Version:Date:References:Subject:To:Content-Type; bh=YOWp44434GOpEJK4A99hvQKp0smxncSdu36tFPFs01w=; b=UC28IF3zVLuTclhCB1X3ZuEHCQ0CmYm1SAKwN0PaFld7OGaxzoCQtIRliIbE2qqP3wMxoiHgkmOIZp4l9m5ynLm6nwZEPR/TuMmgxdveQ4QhxMUQsMQr86HCFhts0cd7; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1UCt7W-0001KY-0G; Tue, 05 Mar 2013 08:45:34 -0600 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpsa id 1362494718-15571-30986/5/1; Tue, 5 Mar 2013 14:45:18 +0000 Content-Type: text/plain; format=flowed; delsp=yes To: freebsd-security@freebsd.org, Robert Simmons , "Koornstra, Reinoud" Subject: Re: Firewall Options References: <0EEF6678B3EEC94B9AE44705DF224D023697268C@G9W0725.americas.hpqcorp.net> Date: Tue, 5 Mar 2013 08:45:17 -0600 Mime-Version: 1.0 From: Mark Felder Message-Id: In-Reply-To: <0EEF6678B3EEC94B9AE44705DF224D023697268C@G9W0725.americas.hpqcorp.net> User-Agent: Opera Mail/12.14 (FreeBSD) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Mar 2013 14:45:34 -0000 On Mon, 04 Mar 2013 16:34:58 -0600, Koornstra, Reinoud wrote: > Hi Mark, > > Why not consider NPF from NetBSD where SMP friendly firewalling is a > given. I've actually been toying with the idea of reinstalling my firewall with NetBSD so I can try NPF. I just hate debugging firewall rules that I'm unfamiliar with :) However, it does look like an amazing project. I'm also not sure if NetBSD is more or less difficult to use as an upstream than OpenBSD. From owner-freebsd-security@FreeBSD.ORG Wed Mar 6 01:55:08 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 88F23D90 for ; Wed, 6 Mar 2013 01:55:08 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 277C49BB for ; Wed, 6 Mar 2013 01:55:07 +0000 (UTC) Received: from Toshi.lariat.net (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2] (may be forged)) by lariat.net (8.9.3/8.9.3) with ESMTP id SAA04749; Tue, 5 Mar 2013 18:40:51 -0700 (MST) Message-Id: <201303060140.SAA04749@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 05 Mar 2013 18:40:50 -0700 To: Robert Simmons , freebsd-security@freebsd.org From: Brett Glass Subject: Re: Firewall Options In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailman-Approved-At: Wed, 06 Mar 2013 02:29:37 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Mar 2013 01:55:08 -0000 This brings up a question I hadn't thought to ask before. How SMP-friendly is the current implementation of IPFW? I will be building some routers/firewalls that will require high performance, and do not want to run into a situation where the firewall is single-threaded (or giant-locked) and becomes a bottleneck. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Wed Mar 6 08:22:41 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 76D55A07 for ; Wed, 6 Mar 2013 08:22:41 +0000 (UTC) (envelope-from ruud@stack.nl) Received: from mx1.stack.nl (relay02.stack.nl [IPv6:2001:610:1108:5010::104]) by mx1.freebsd.org (Postfix) with ESMTP id 2ACE8958 for ; Wed, 6 Mar 2013 08:22:41 +0000 (UTC) Received: from hammer.stack.nl (hammer.stack.nl [IPv6:2001:610:1108:5010::153]) by mx1.stack.nl (Postfix) with ESMTP id 6A4BD3592FE; Wed, 6 Mar 2013 09:22:39 +0100 (CET) Received: by hammer.stack.nl (Postfix, from userid 1965) id 56850613B; Wed, 6 Mar 2013 09:22:39 +0100 (CET) Date: Wed, 6 Mar 2013 09:22:39 +0100 From: Ruud Althuizen To: Brett Glass Subject: Re: Firewall Options Message-ID: <20130306082239.GH42007@stack.nl> References: <201303060140.SAA04749@lariat.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dTy3Mrz/UPE2dbVg" Content-Disposition: inline In-Reply-To: <201303060140.SAA04749@lariat.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Ruud Althuizen List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Mar 2013 08:22:41 -0000 --dTy3Mrz/UPE2dbVg Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable As stated elsewhere in this thread, there's an PF giant-lock. On Tue 05 Mar 2013 06:40 PM, Brett Glass wrote: > This brings up a question I hadn't thought to ask before. How SMP-friendl= y is > the current implementation of IPFW? I will be building some routers/firew= alls > that will require high performance, and do not want to run into a=20 > situation where > the firewall is single-threaded (or giant-locked) and becomes a bottlenec= k. >=20 > --Brett Glass --=20 With kind regards, Ruud Althuizen --dTy3Mrz/UPE2dbVg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (FreeBSD) iEYEARECAAYFAlE2/M8ACgkQkqncCMFskRW3qQCfU8znG/CNG8FGQLgHkBTRQTec SHoAniHfhefl7dpPv3yun/OOOjwvo7Zt =xZqt -----END PGP SIGNATURE----- --dTy3Mrz/UPE2dbVg--