From owner-freebsd-current@FreeBSD.ORG Wed Jul 16 23:12:18 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D438E35C; Wed, 16 Jul 2014 23:12:18 +0000 (UTC) Received: from silver.jkkn.net (jkkn.dk [IPv6:2001:16d8:dd04:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 44C242E93; Wed, 16 Jul 2014 23:12:17 +0000 (UTC) Received: from [IPv6:2001:16d8:dd04:0:2905:35f9:4a63:c75a] (lenovo.home6.jkkn.net [IPv6:2001:16d8:dd04:0:2905:35f9:4a63:c75a]) (authenticated bits=0) by silver.jkkn.net (envelope-from freebsd@com.jkkn.dk) (8.14.9/8.14.9) with ESMTP id s6GNCDER003191 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 17 Jul 2014 01:12:14 +0200 (CEST) (envelope-from freebsd@com.jkkn.dk) DKIM-Filter: OpenDKIM Filter v2.8.3 silver.jkkn.net s6GNCDER003191 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=com.jkkn.dk; s=jkkn-dkim; t=1405552334; bh=FOQ7HOH4yhUwtO3o/kOtjMm3N6eSS77M3FQPf4hNwXQ=; h=Date:From:To:Subject; b=DaYo7wXbHKVyZkjiIpuO8fEb3epNtBIXuICNjTk7AlVH+I3fECCXGCIgRsGxPOslg qiZi5VpjPImRft54U1x2Nm6XTbmSqCWNLUzxS6VaUzKd0Cgr8tTweZ2rVRkY2cgTS7 7UlEqrP0kp0ByD93EIdIm9Tl65Mb3Pd1IgcTn41Y= Message-ID: <53C706C9.6090506@com.jkkn.dk> Date: Thu, 17 Jul 2014 01:12:09 +0200 From: "Kristian K. Nielsen" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-current@freebsd.org, freebsd-questions@freebsd.org Subject: Future of pf / firewall in FreeBSD ? - does it have one ? X-Virus-Scanned: clamav-milter 0.98.4 at silver.jkkn.net X-Virus-Status: Clean X-Mailman-Approved-At: Thu, 17 Jul 2014 11:24:50 +0000 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jul 2014 23:12:18 -0000 Hi all, I have been encouraged by people on the pf-mailinglist to move this discussion to the current mailinglist since this may be an area in the OS where FreeBSD need to focus on next. First of all I am a happy user of the pf-firewall module and have been for years and think it is really great - the trouble is that lately (since 2008) its getting a bit dusty. The last few years it seem that pf in FreeBSD got a long way away from pf in OpenBSD where it originated - also looking at the ipfilter (ipf) and ipfw - they both to me do not seem to be as complete as pf. So I am curious if any on the mailing could elaborate about what the future of pf in FreeBSD is or should be. a) First of all - are any actively developing pf in FreeBSD? b) We are a major release away from OpenBSD (5.6 coming soon) - is following OpenBSD's pf the past? - should it be? c) We never got the new syntax from OpenBSD 4.7's pf - at the time a long discussion on the pf-mailing list flamed the new syntax saying it would cause FreeBSD administrators too much headache. Today on the list it seems everyone wants it - so would we rather stay on a dead branch than keep up with the main stream? d) Anyone working on bringing FreeBSD up to pf 5.6? - seem dead on the pf-list. e) OpenBSD is retiring ALTQ entirely - any thoughts on that? http://undeadly.org/cgi?action=article&sid=20140419151959 f) IPv6 support?- it seem to be more and more challenged in the current version of pf in FreeBSD and I am (as well as others) introducing more and more IPv6 in networks. E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, which is the bug on not handling IPv6 fragments which have been open since 2008 and where the workaround is necessity to leave an completely open hole in your firewall ruleset to allow all fragments. According to comment in the bug, this have been long gone in OpenBSD. g) Performance, can we live with pf-performance that compared to OpenBSD is slower by a factor of 3 or 4, even after the multi-core support in FreeBSD 10? (Henning Brauer noted that in this talk at http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (at 33:18 and 36:53)) - credit/Jim Thompson h) Bringing back patches from pfSense? And my most important question: * Should this or could this be a project for the foundation to either do a summer project or funded project to bring this part of the OS up to date? Hope to heard from you all, Best regards, Kristian Krĉmmer Nielsen, Odense, Denmark