From owner-freebsd-hackers@FreeBSD.ORG  Fri Jan  2 18:17:21 2015
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6ED8F481;
 Fri,  2 Jan 2015 18:17:21 +0000 (UTC)
Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173])
 by mx1.freebsd.org (Postfix) with ESMTP id 46C1B1821;
 Fri,  2 Jan 2015 18:17:21 +0000 (UTC)
Received: by be-well.ilk.org (Postfix, from userid 1147)
 id AD75933C22; Fri,  2 Jan 2015 13:08:21 -0500 (EST)
From: Lowell Gilbert <freebsd-lists@be-well.ilk.org>
To: Adrian Chadd <adrian@freebsd.org>
Subject: Re: [FreeBSD 11 Wishlist] Replacing an OpenBSD Firewall
References: <1419995051.3716640.208176841.1676669A@webmail.messagingengine.com>
 <1420213273.622796.208841861.04300699@webmail.messagingengine.com>
 <CAJ-VmokPepw8K7Cu1-z5YVRCETKPf28VXhGx8u2cD-23TAMnFA@mail.gmail.com>
Date: Fri, 02 Jan 2015 13:08:21 -0500
In-Reply-To: <CAJ-VmokPepw8K7Cu1-z5YVRCETKPf28VXhGx8u2cD-23TAMnFA@mail.gmail.com>
 (Adrian Chadd's message of "Fri, 2 Jan 2015 08:53:34 -0800")
Message-ID: <44387tcay2.fsf@be-well.ilk.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain
Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jan 2015 18:17:21 -0000

Adrian Chadd <adrian@freebsd.org> writes:

> On 2 January 2015 at 07:41, Mark Felder <feld@freebsd.org> wrote:
>> I've been encouraged to use ipfw and dummynet, but converting my
>> firewall rules again is not something I'm enthusiastic about. I'll note
>> that FreeBSD is often praised for including pf while ipfw is completely
>> overlooked; our own Handbook even puts pf before ipfw. That certainly
>> sends a message that we may not be intending to send and should be
>> considered carefully.
>
> Well, I bet the handbook updates were written by a pf-loving person. :)

I just took a quick look at that Handbook chapter (for the first time in
quite a few years), and I didn't notice anything I'd consider a
problem. All three firewalls are mentioned and (*very* lightly) compared
in the Synopsis that begins the chapter. pf does come before ipfw, but
*something* has to come first; it's not like anyone would go for a
suggestion like periodically re-ordering the sections...