Date: Thu, 17 Jul 2014 21:13:26 +0200 From: Lukasz <lukasz@chroot.pl> To: freebsd-questions@FreeBSD.org Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <53C82056.3010401@chroot.pl> In-Reply-To: <53C70783.90105@com.jkkn.dk> References: <53C706C9.6090506@com.jkkn.dk> <53C70783.90105@com.jkkn.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
+1 On 07/17/2014 01:15 AM, Kristian K. Nielsen wrote: > Hi all, > > I have been encouraged by people on the pf-mailinglist to move this > discussion to the current mailinglist since this may be an area in the > OS where FreeBSD need to focus on next. > > First of all I am a happy user of the pf-firewall module and have been > for years and think it is really great - the trouble is that lately > (since 2008) its getting a bit dusty. > > The last few years it seem that pf in FreeBSD got a long way away from > pf in OpenBSD where it originated > - also looking at the ipfilter (ipf) and ipfw - they both to me do not > seem to be as complete as pf. > > So I am curious if any on the mailing could elaborate about what the > future of pf in FreeBSD is or should be. > > a) First of all - are any actively developing pf in FreeBSD? > > b) We are a major release away from OpenBSD (5.6 coming soon) - is > following OpenBSD's pf the past? - should it be? > > c) We never got the new syntax from OpenBSD 4.7's pf - at the time a > long discussion on the pf-mailing list flamed the new syntax saying it > would cause FreeBSD administrators too much headache. Today on the list > it seems everyone wants it - so would we rather stay on a dead branch > than keep up with the main stream? > > d) Anyone working on bringing FreeBSD up to pf 5.6? - seem dead on the > pf-list. > > e) OpenBSD is retiring ALTQ entirely - any thoughts on that? > http://undeadly.org/cgi?action=article&sid=20140419151959 > > f) IPv6 support?- it seem to be more and more challenged in the current > version of pf in FreeBSD and I am (as well as others) introducing more > and more IPv6 in networks. > E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, > which is the bug on not handling IPv6 fragments which have been open > since 2008 and where the workaround is necessity to leave an completely > open hole in your firewall ruleset to allow all fragments. According to > comment in the bug, this have been long gone in OpenBSD. > > g) Performance, can we live with pf-performance that compared to OpenBSD > is slower by a factor of 3 or 4, even after the multi-core support in > FreeBSD 10? > (Henning Brauer noted that in this talk at > http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (at 33:18 and > 36:53)) - credit/Jim Thompson > > h) Bringing back patches from pfSense? > > And my most important question: > > * Should this or could this be a project for the foundation to either do > a summer project or funded project to bring this part of the OS up to date? > > > Hope to hear from you all, > > Best regards, > > Kristian Krĉmmer Nielsen, > Odense, Denmark > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53C82056.3010401>