From owner-freebsd-security Thu Mar 28 12:12: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 79D7937B405 for ; Thu, 28 Mar 2002 12:12:03 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020328201203.ILPC1147.rwcrmhc52.attbi.com@blossom.cjclark.org>; Thu, 28 Mar 2002 20:12:03 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2SKC0D98221; Thu, 28 Mar 2002 12:12:00 -0800 (PST) (envelope-from cjc) Date: Thu, 28 Mar 2002 12:12:00 -0800 From: "Crist J. Clark" To: Attila Nagy Cc: Alex Holst , security@FreeBSD.ORG Subject: Re: pf OR ipf ? Message-ID: <20020328121200.C97841@blossom.cjclark.org> References: <20020328064640.GA74780@area51.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bra@fsn.hu on Thu, Mar 28, 2002 at 01:20:40PM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 01:20:40PM +0100, Attila Nagy wrote: > Hello, > > > pf currently runs only on OpenBSD. Jordan Hubbard has expressed > > annoyance with the fact that there are now three filters (ipfw, ipf and > > pf) so it seems unlikely that FreeBSD is going to port it. > I'm sad to hear that. I think diversity is a good thing. With FreeBSD if > you are paranoid you can set up your firewall rules in two packet filters, > which has a different codebase. So if one fails, it is unlikely that the > other will too. > I think it is good to have more than one packet filter in the kernel :) > > With PF some more features could be also ported, like the bridge support. > And that would be a good thing also. There is nothing special about PF that makes bridge support easier. Afterall, there is mature bridging support for IPFilter in OpenBSD. I also recently committed a hack for IPFilter bridging support in -CURRENT. I'll put the -STABLE patches on the website listed in the headers and .sig today if anyone wants 'em. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message