From owner-freebsd-security  Thu Mar 28  5:12:44 2002
Delivered-To: freebsd-security@freebsd.org
Received: from default.eng.eircom.net (default.eng.eircom.net [159.134.242.160])
	by hub.freebsd.org (Postfix) with ESMTP id 8410D37B405
	for <security@freebsd.org>; Thu, 28 Mar 2002 05:12:38 -0800 (PST)
Received: from default.eng.eircom.net (localhost [127.0.0.1])
	by default.eng.eircom.net (8.12.2/8.12.2) with ESMTP id g2SDCanE030560
	for <security@freebsd.org>; Thu, 28 Mar 2002 13:12:36 GMT
Received: (from ryand@localhost)
	by default.eng.eircom.net (8.12.2/8.12.2/Submit) id g2SDCaWn027414
	for security@freebsd.org; Thu, 28 Mar 2002 13:12:36 GMT
Date: Thu, 28 Mar 2002 13:12:36 +0000
From: Dave Ryan <dave.ryan@eircom.net>
To: security@freebsd.org
Subject: Re: pf OR ipf ?
Message-ID: <20020328131236.GB30961@default.eircom.net>
References: <20020328064640.GA74780@area51.dk> <Pine.LNX.4.44.0203281308070.2202-100000@scribble.fsn.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.44.0203281308070.2202-100000@scribble.fsn.hu>
User-Agent: Mutt/1.3.27i
Organization: Eircom CIRT
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Attila Nagy said the following on Thu, Mar 28, 2002 at 01:20:40PM +0100, 
> > pf currently runs only on OpenBSD. Jordan Hubbard has expressed
> > annoyance with the fact that there are now three filters (ipfw, ipf and
> > pf) so it seems unlikely that FreeBSD is going to port it.
> I'm sad to hear that. I think diversity is a good thing. With FreeBSD if
> you are paranoid you can set up your firewall rules in two packet filters,
> which has a different codebase. So if one fails, it is unlikely that the
> other will too.
> I think it is good to have more than one packet filter in the kernel :)

Sure its always a good thing to add more code to your kernel. I would focus on
bringing assurance to the existing code as opposed to porting in something
else to perform the same function.

> With PF some more features could be also ported, like the bridge support.
> And that would be a good thing also.

I fail to see the relevance in discussing PF on a FreeBSD mailing list, if you
have suggestions sign on to tech or misc.

What is so wrong with ipfw that there needs to be another packet filter
brought under FreeBSD? I'm glad I have the option of pf on OpenBSD now, but I
can't see a good reason to import it for the sake of yet another packet
filter.

I personally choose ipfw when running FreeBSD and I am very very happy 
with pf under OpenBSD.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message