From owner-freebsd-questions@FreeBSD.ORG Fri Jul 18 08:11:38 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2117F296; Fri, 18 Jul 2014 08:11:38 +0000 (UTC) Received: from mail-yh0-x232.google.com (mail-yh0-x232.google.com [IPv6:2607:f8b0:4002:c01::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CAF3A27B4; Fri, 18 Jul 2014 08:11:37 +0000 (UTC) Received: by mail-yh0-f50.google.com with SMTP id v1so2045286yhn.37 for ; Fri, 18 Jul 2014 01:11:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=XPd/wE3+ruCTYWW2TqoVwNtkg3y4evsTERaG6eWFkmM=; b=NdM+vUpjSLIZcN068v0e6vLXv3yeo4JmS0wSnbQIpzKBynceqKccrEvJ5vi7DFkJCb qlBoomMQmgr7rq67s/7up9VzotlvFhhvLHIxUFYNm4NM4jt6AR+ZEeFaA1Toz0yhtJL3 Wz3v8mj7zSUksP3JVXf2xr3eoLv11SDMUecU4U1a9L94+qFSIbm/coltzPcEYHcYm2Ep 8FqfNXqsTef4I4Tys17fNBN3BPhonTn6LZvlHXkgGfDHlJqXBnwi0vHIXgbZx+SFtvGl b5n+XUhq6s3iMwfpaEQFmqtcZsYnzDbFxCA47TC1esz/UnwLKylKHtJfamt9e6JrQBhU Ltjg== MIME-Version: 1.0 X-Received: by 10.236.130.77 with SMTP id j53mr4781689yhi.139.1405671096853; Fri, 18 Jul 2014 01:11:36 -0700 (PDT) Received: by 10.170.132.80 with HTTP; Fri, 18 Jul 2014 01:11:36 -0700 (PDT) In-Reply-To: <53C706C9.6090506@com.jkkn.dk> References: <53C706C9.6090506@com.jkkn.dk> Date: Fri, 18 Jul 2014 09:11:36 +0100 Message-ID: Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? From: krad To: "Kristian K. Nielsen" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: freebsd-current@freebsd.org, FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2014 08:11:38 -0000 I would like to see an updated version of pf. I realize its a big job to port it though On 17 July 2014 00:12, Kristian K. Nielsen wrote: > Hi all, > > I have been encouraged by people on the pf-mailinglist to move this > discussion to the current mailinglist since this may be an area in the OS > where FreeBSD need to focus on next. > > First of all I am a happy user of the pf-firewall module and have been fo= r > years and think it is really great - the trouble is that lately (since > 2008) its getting a bit dusty. > > The last few years it seem that pf in FreeBSD got a long way away from pf > in OpenBSD where it originated > - also looking at the ipfilter (ipf) and ipfw - they both to me do not > seem to be as complete as pf. > > So I am curious if any on the mailing could elaborate about what the > future of pf in FreeBSD is or should be. > > a) First of all - are any actively developing pf in FreeBSD? > > b) We are a major release away from OpenBSD (5.6 coming soon) - is > following OpenBSD's pf the past? - should it be? > > c) We never got the new syntax from OpenBSD 4.7's pf - at the time a long > discussion on the pf-mailing list flamed the new syntax saying it would > cause FreeBSD administrators too much headache. Today on the list it seem= s > everyone wants it - so would we rather stay on a dead branch than keep up > with the main stream? > > d) Anyone working on bringing FreeBSD up to pf 5.6? - seem dead on the > pf-list. > > e) OpenBSD is retiring ALTQ entirely - any thoughts on that? > http://undeadly.org/cgi?action=3Darticle&sid=3D20140419151959 > > f) IPv6 support?- it seem to be more and more challenged in the current > version of pf in FreeBSD and I am (as well as others) introducing more an= d > more IPv6 in networks. > E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, > which is the bug on not handling IPv6 fragments which have been open sinc= e > 2008 and where the workaround is necessity to leave an completely open ho= le > in your firewall ruleset to allow all fragments. According to comment in > the bug, this have been long gone in OpenBSD. > > g) Performance, can we live with pf-performance that compared to OpenBSD > is slower by a factor of 3 or 4, even after the multi-core support in > FreeBSD 10? > (Henning Brauer noted that in this talk at http://tech.yandex.ru/events/ > yagosti/ruBSD/talks/1488/ (at 33:18 and 36:53)) - credit/Jim Thompson > > h) Bringing back patches from pfSense? > > And my most important question: > > * Should this or could this be a project for the foundation to either do = a > summer project or funded project to bring this part of the OS up to date? > > > Hope to heard from you all, > > Best regards, > > Kristian Kr=C3=A6mmer Nielsen, > Odense, Denmark > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >