From owner-freebsd-questions@FreeBSD.ORG Mon Jul 21 13:57:28 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3D56BD19; Mon, 21 Jul 2014 13:57:28 +0000 (UTC) Received: from mail-pd0-x235.google.com (mail-pd0-x235.google.com [IPv6:2607:f8b0:400e:c02::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 075E228A2; Mon, 21 Jul 2014 13:57:28 +0000 (UTC) Received: by mail-pd0-f181.google.com with SMTP id g10so7650807pdj.26 for ; Mon, 21 Jul 2014 06:57:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:thread-index :content-language; bh=QWhriY2swMIFWukwl+YjrIzSn8u5N8ueYINmR9/mlB0=; b=x0GjTOcswsA+/Cq13VQtwYYJOv5Hnbr255Q9tVfciXh3xEqZaLpqmeQ7TIjkbBpKtp F0irptp9ODCLegD4GdjS3zV+MNPe03Fln8t3YPqpCVuA6HFrSjFejAdgN6YjwL1l1c27 rAAsZavswNglM5mzZP1j7notDnLndWie6w487iPBBsXOblySuIwZyjjLmWtK96Mgclju wI8KzyyIEaEl49mmr29+EKcPQsCpdRCmU1Ip9/8nZGm/ZR25xYfVwnGhamU8+uH7dltj G2vUf63wsojGoILg0ocarYLio1Of6k1gN1MT6M5gCQHIiuum5VQ3CcgZbfELcB+lwf0U X/ww== X-Received: by 10.70.128.227 with SMTP id nr3mr2359761pdb.156.1405951047050; Mon, 21 Jul 2014 06:57:27 -0700 (PDT) Received: from billwin7 (amx-tls2.starhub.net.sg. [203.116.164.12]) by mx.google.com with ESMTPSA id av2sm14318796pbc.16.2014.07.21.06.57.24 for (version=TLSv1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 21 Jul 2014 06:57:26 -0700 (PDT) From: "bycn82" To: "'Andreas Nilsson'" , References: <20140721.074105.74747815.sthaug@nethelp.no> <20140721.085616.74744313.sthaug@nethelp.no> In-Reply-To: Subject: RE: Future of pf / firewall in FreeBSD ? - does it have one ? Date: Mon, 21 Jul 2014 21:57:21 +0800 Message-ID: <002601cfa4eb$b4554270$1cffc750$@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQI/50tpYfGwpMKNeBPkSOvXVI/2jQIrBaeAAroD+/YB+jKkdAEPYalNmoqQtWA= Content-Language: en-us Cc: 'Maxim Khitrov' , 'Current FreeBSD' , 'Mailinglists FreeBSD' X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2014 13:57:28 -0000 There is no doubt that PF is a really good firewall, But we should = noticed that there is an ipfw which is originally from FreeBSD while PF = is from OpenBSD. If there is a requirement that PF can meet but ipfw cannot, then I think = it is better to improve the ipfw. But if you just like the PF style, = then I think choose OpenBSD is the better solution. Actually OpenBSD is = another really good operating system.=20 Like myself, I like CentOS and ipfw, so no choice :) > -----Original Message----- > From: owner-freebsd-current@freebsd.org [mailto:owner-freebsd- > current@freebsd.org] On Behalf Of Andreas Nilsson > Sent: 21 July, 2014 19:46 > To: sthaug@nethelp.no > Cc: Maxim Khitrov; Current FreeBSD; Mailinglists FreeBSD > Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? >=20 > On Mon, Jul 21, 2014 at 8:56 AM, wrote: >=20 > > > > > Also, the openbsd stack has some essential features missing in > > freebsd, > > > > > like mpls and md5 auth for bgp sessions. > > > > > > > > I use MD5 auth for BGP sessions every day (and have been doing = so > > > > for several releases). One could definitely wish for better > > > > integration - having to specify MD5 key both in /etc/ipsec.conf > > > > and in the Quagga bgpd config is not nice. But it works. > > > > > > > As far as I know you can only send out correctly authed stuff but > > > not validate incoming. Has that changed? > > > > Have a look at tcp_signature_verify(), called from tcp_input.c. = Added > > in r221023, see > > > > = http://svnweb.freebsd.org/base/head/sys/netinet/tcp_input.c?view=3Dlog > > > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > > > > = ---------------------------------------------------------------------- > > > > Revision 221023 - (view) (download) (annotate) - [select for diffs] > > Modified Mon Apr 25 17:13:40 2011 UTC (3 years, 2 months ago) by > > attilio File length: 106717 byte(s) Diff to previous 220560 Add the > > possibility to verify MD5 hash of incoming TCP packets. > > As long as this is a costy function, even when compiled in (along = with > > the option TCP_SIGNATURE), it can be disabled via the > > net.inet.tcp.signature_verify_input sysctl. > > > > Sponsored by: Sandvine Incorporated > > Reviewed by: emaste, bz > > MFC after: 2 weeks > > > > I stand corrected. Excellent news ( for me, that is) :) >=20 > Best regards > Andeas > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current- > unsubscribe@freebsd.org"