From owner-freebsd-security  Thu Mar 28  6:54:15 2002
Delivered-To: freebsd-security@freebsd.org
Received: from patrocles.silby.com (d129.as29.nwbl0.wi.voyager.net [169.207.73.131])
	by hub.freebsd.org (Postfix) with ESMTP id EB35537B404
	for <security@freebsd.org>; Thu, 28 Mar 2002 06:54:04 -0800 (PST)
Received: from patrocles.silby.com (localhost [127.0.0.1])
	by patrocles.silby.com (8.12.2/8.12.2) with ESMTP id g2SKqVUH024760;
	Thu, 28 Mar 2002 14:52:31 -0600 (CST)
	(envelope-from silby@silby.com)
Received: from localhost (silby@localhost)
	by patrocles.silby.com (8.12.2/8.12.2/Submit) with ESMTP id g2SKqPll024757;
	Thu, 28 Mar 2002 14:52:28 -0600 (CST)
X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs
Date: Thu, 28 Mar 2002 14:52:24 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Attila Nagy <bra@fsn.hu>
Cc: Alex Holst <a@area51.dk>, <security@freebsd.org>
Subject: Re: pf OR ipf ?
In-Reply-To: <Pine.LNX.4.44.0203281308070.2202-100000@scribble.fsn.hu>
Message-ID: <20020328144718.L24744-100000@patrocles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Thu, 28 Mar 2002, Attila Nagy wrote:

> Hello,
>
> > pf currently runs only on OpenBSD. Jordan Hubbard has expressed
> > annoyance with the fact that there are now three filters (ipfw, ipf and
> > pf) so it seems unlikely that FreeBSD is going to port it.
> I'm sad to hear that. I think diversity is a good thing. With FreeBSD if
> you are paranoid you can set up your firewall rules in two packet filters,
> which has a different codebase. So if one fails, it is unlikely that the
> other will too.
> I think it is good to have more than one packet filter in the kernel :)
>
> With PF some more features could be also ported, like the bridge support.
> And that would be a good thing also.
>
> --------[ Free Software ISOs - ftp://ftp.fsn.hu/pub/CDROM-Images/ ]-------
> Attila Nagy					e-mail: Attila.Nagy@fsn.hu
> Free Software Network (FSN.HU)		  phone @work: +361 210 1415 (194)

The primary reason that pf (and iptables, and Microsoft's win32 layer)
have not been ported to FreeBSD is lack of developer time.  If you believe
that PF would be a good thing, go ahead and port it over.  If the code was
unobtrusive, I'm sure it would make it into the tree.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message