From owner-freebsd-current@FreeBSD.ORG Mon Jul 28 09:41:36 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5A6E484E for ; Mon, 28 Jul 2014 09:41:36 +0000 (UTC) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2C2BB2AAA for ; Mon, 28 Jul 2014 09:41:36 +0000 (UTC) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by gateway1.nyi.internal (Postfix) with ESMTP id 23EE22103B for ; Mon, 28 Jul 2014 05:41:28 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute3.internal (MEProxy); Mon, 28 Jul 2014 05:41:28 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; s=smtpout; bh=K+Z9WH0k3tO3WxquCh+To/ PoC8s=; b=qy2iNyjVFmnsq7CQwxhfGXc30ug4GrbcG1nPV5pgh4SB7uBJ22tDaK fXPesYv/PHk5ESAtrtlDlp+Hxj6pFfSCM8NuCVDDYyIVY120zODUvLJ8mWcoGPN0 wIUXlcs5gGt4xILNt68g7DC9AI/hwSUTud713Cs0eod8XK4H7Yaok= X-Sasl-enc: XeyBQ9Jwbre0aV7aTIw1TEQk5dYpqmW1o/PI8f+NfJg9 1406540487 Received: from [192.168.1.31] (unknown [203.206.138.26]) by mail.messagingengine.com (Postfix) with ESMTPA id 31CF7C00003; Mon, 28 Jul 2014 05:41:26 -0400 (EDT) Message-ID: <53D61AC6.5030305@freebsd.org> Date: Mon, 28 Jul 2014 19:41:26 +1000 From: Darren Reed User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Cy Schubert Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? References: <201407261843.s6QIhcx4008597@slippy.cwsent.com> In-Reply-To: <201407261843.s6QIhcx4008597@slippy.cwsent.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2014 09:41:36 -0000 On 27/07/2014 4:43 AM, Cy Schubert wrote: > In message <53D395E4.1070006@fastmail.net>, Darren Reed writes: >> On 24/07/2014 1:42 AM, Cy Schubert wrote: >>>>> But, lack of ipv6 fragment processing still causes ongoing pain. That'= >>>>> s our=20 >>>>> #1 wish list item for the cluster. >>> Taking this discussion slightly sideways but touching on this thread a >>> little, each of our packet filters will need nat66 support too. Pf doesn't >>> support it for sure. I've been told that ipfw may and I suspect ipfilter >>> doesn't as it was on Darren's todo list from 2009. >> ipfiler 5 handles fragments for ipv6. > Switching gears and leaving the discussion of ipv6 fragments to mention > nat66. A lot of people have been talking about nat66. I could be wrong but > I don't think it can handle nat66. I need to do some testing to verify > this. I remember reading on sourceforge that it was on your todo list. It > doesn't look like it was checked off as being completed. IPFilter 5 does IPv6 NAT. With the import of 5.1.2, map, rdr and rewrite rules will all work with IPv6 addresses. NAT66 is a specific implementation of IPv6 NAT behaviour. Cheers, Darren