Date: Tue, 11 Mar 2008 06:14:51 -0500 (CDT) From: "Jeremy C. Reed" <reed@reedmedia.net> To: Igor Zinovik <zinovik@kspu.karelia.ru> Cc: freebsd-pf@freebsd.org Subject: Re: PF perfomance in freebsd Message-ID: <Pine.NEB.4.64.0803110527080.360@tx.reedmedia.net> In-Reply-To: <20080311090953.GA1764@zinovik.kspu.karelia.ru> References: <20080311090953.GA1764@zinovik.kspu.karelia.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 11 Mar 2008, Igor Zinovik wrote: > I decided to switch from ipf to pf at work. So i try to explain to > coadmin why pf is better than ipf. My main arguments for switching from > ipf are that pf is still maintained and feature rich. Main disadvantage > of ipf is that it is hard to maintain configuration file (since it does > not support macros we created shell script to obtain macro support). These arguments are not true. IPF is maintained. FreeBSD's official handbook says "IPFILTER is actively being supported and maintained, with updated versions being released regularly." The FAQ was last updated in 07/05/07 (July 2007 I assume). It looks the latest release of IP Filter (4.1.28) was released on Oct. 17, 2007. IPF is feature rich. Some examples: tuning during run-time; save state over reboots; active and testing filter which can be swapped; can generate C code for filter rules hard-coded in custom kernel; flush specific TCP states (at run-time); flush idle states that are a certain age (at run-time); provides tools to generate simple ruleset and testing of rulesets without enabling on real firewall (and using various packet input formats); able to call kernel functions per a rule; authentication (such as password) for rules; lookup tables; packet per second matching; few built in proxies; some load balancing; checksum verifications; and more. IPF does support macros. It has always supported nested variable substitution. (Sadly this is not documented.) Jeremy C. Reed p.s. I primarily use PF because of its great documentation -- in fact, I published an edited, indexed, cross-referenced, and improved version of some PF docs in book format.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.4.64.0803110527080.360>