Date: Sun, 14 Apr 2013 16:48:36 +0300 From: Odhiambo Washington <odhiambo@gmail.com> To: Scott Long <scottl@samsco.org> Cc: net@freebsd.org, Joe <fbsd8@a1poweruser.com>, Rui Paulo <rpaulo@freebsd.org>, "freebsd-current@freebsd.org" <current@freebsd.org> Subject: Re: ipfilter(4) needs maintainer Message-ID: <CAAdA2WNoT7%2Bo8yP5180ZkSFKU6zERjdYzAPb5VkH3stE2qTYpA@mail.gmail.com> In-Reply-To: <1D28D213-BB43-4538-A1D5-FC396A7025D5@samsco.org> References: <20130411201805.GD76816@FreeBSD.org> <7D8ACD5C-821D-4505-82E4-02267A7BA4F8@FreeBSD.org> <E2F803DD-1F3A-430E-957F-7AB1904CDF42@samsco.org> <96D56EAE-E797-429E-AEC9-42B19B048CCC@FreeBSD.org> <516AAD01.1090201@a1poweruser.com> <1D28D213-BB43-4538-A1D5-FC396A7025D5@samsco.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I do not stand in any good stead to comment on this, but I have used IPFilter more extensively than PF when it comes to FreeBSD and packet manipulations. As a user, what I can say is this: 1. The only firewall that seems 'native' to FreeBSD is ipfw and I believe it works very well for some users who are able to adapt to it's syntax. 2. PF is being felt to be part of FreeBSD, but it too lags far behind OpenBSD implementation - almost like it's unmaintained. There has been debates about this which were never concluded. Most of you will agree with me on this. IPFilter is obviously NOT going to make it in 10.x and never releases because of those changes which have led to this thread/debate. So my take is there is a very simple answer/solution to this debate, which conforms to the K.I.S.S principle: 3. There is NO need to look for a maintainer. Simply DEPRECATE IPFilter from 10.x and put out a BIG Notice/Billboard somewhere where whoever needs to run FreeBSD because of IPFilter will find it. I doubt there is such a person anywhere because there are firewall implementations out there that can address this. Just put it out somewhere that IPFilter is NOT AVAILABLE on FreeBSD 10.x upwards and go ahead and remove it from the system. Nobody will complain. If anyone does, tell them that IPFilter is supported on FreeBSD upto 8.x (or is it 9.x? On my 9.x systems I use PF). 4. It's pretty easy for a newcomer to adopt and adapt to a firewall that is properly supported. Newcomers don't have much choice anyway. They decide to go with a system after finding out that it "meets their requirements". Let's remember that there are other Unix variants out there with Firewall implementations too. I hope this helps you big boys settle this debate. On 14 April 2013 16:25, Scott Long <scottl@samsco.org> wrote: > > On Apr 14, 2013, at 7:20 AM, Joe <fbsd8@a1poweruser.com> wrote: > > > Rui Paulo wrote: > >> On 2013/04/12, at 22:31, Scott Long <scottl@samsco.org> wrote: > >>> On Apr 12, 2013, at 7:43 PM, Rui Paulo <rpaulo@FreeBSD.org> wrote: > >>> > >>>> On 2013/04/11, at 13:18, Gleb Smirnoff <glebius@FreeBSD.org> wrote: > >>>> > >>>>> Lack of maintainer in a near future would lead to bitrot due to > changes > >>>>> in other areas of network stack, kernel APIs, etc. This already > happens, > >>>>> many changes during 10.0-CURRENT cycle were only compile tested wrt > >>>>> ipfilter. If we fail to find maintainer, then a correct decision > would be > >>>>> to remove ipfilter(4) from the base system before 10.0-RELEASE. > >>>> This has been discussed in the past. Every time someone came up and > said "I'm still using ipfilter!" and the idea to remove it dies with it. > I've been saying we should remove it for 4 years now. Not only it's > outdated but it also doesn't not fit well in the FreeBSD roadmap. Then > there's the question of maintainability. We gave the author a commit bit so > that he could maintain it. That doesn't happen anymore and it sounds like > he has since moved away from FreeBSD. I cannot find any reason to burden > another FreeBSD developer with maintaining ipfilter. > >>>> > >>> One thing that FreeBSD is bad about (and this really applies to many > open source projects) when deprecating something is that the developer and > release engineering groups rarely provide adequate, if any, tools to help > users transition and cope with the deprecation. The fear of deprecation > can be largely overcome by giving these users a clear and comprehensive > path forward. Just announcing "ipfilter is going away. EOM" is inadequate > and leads to completely justified complaints from users. > >> I agree with the deprecation path, but given the amount of changes that > happened in the last 6 months, I'm not even sure ipfilter is working fine > in FreeBSD CURRENT, but I haven't tested it. > >>> So with that said, would it be possible to write some tutorials on how > to migrate an ipfilter installation to pf? Maybe some mechanical syntax > docs accompanied by a few case studies? Is it possible for a script to > automate some of the common mechanical changes? Also essential is a clear > document on what goes away with ipfilter and what is gained with pf. Once > those tools are written, I suggest announcing that ipfilter is available > but deprecated/unsupported in FreeBSD 10, and will be removed from FreeBSD > 11. Certain people will still pitch a fit about it departing, but if the > tools are there to help the common users, you'll be successful in winning > mindshare and general support. > >> It's not very difficult to switch an ipf.conf/ipnat.conf to a pf.conf, > but I'm not sure automated tools exist. I'm also not convinced we need to > write them and I think the issue can be deal with by writing a bunch of > examples on how to do it manually. Then we can give people 1y to switch. > >> Regards, > >> -- > >> Rui Paulo > > > > Wow boys, This conversation has gotten way off track. Looking for a > maintainer for ipfilter is totally different than opening the dead subject > of removing ipfilter from the system. > > > > The project has been in search of a maintainer for ipfilter for many > years. Gleb's most recent plea is just the latest round in this loose > battle. > > > Look at openbsd's pf, its been forked and is now freebsd maintained. New > upstream versions of Ipfilter have always needed tweaking before it can be > included in the base system. If your unsatisfied with the lack of bug > fixes, then ask the author for special permission to create a fork if his > license don't allow it now. > > > > The point is: ipfilter is part of FreeBSD and you are never going to > remove it. Accept that fact. > > > > Negative, amigo. Without passionate interest in developing ipfilter, it's > just a roadblock and an eyesore. Abandonware needs to be culled. > > Scott > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAdA2WNoT7%2Bo8yP5180ZkSFKU6zERjdYzAPb5VkH3stE2qTYpA>