From owner-freebsd-security  Thu Mar 28 12:12: 8 2002
Delivered-To: freebsd-security@freebsd.org
Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88])
	by hub.freebsd.org (Postfix) with ESMTP id 79D7937B405
	for <security@FreeBSD.ORG>; Thu, 28 Mar 2002 12:12:03 -0800 (PST)
Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020328201203.ILPC1147.rwcrmhc52.attbi.com@blossom.cjclark.org>;
          Thu, 28 Mar 2002 20:12:03 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g2SKC0D98221;
	Thu, 28 Mar 2002 12:12:00 -0800 (PST)
	(envelope-from cjc)
Date: Thu, 28 Mar 2002 12:12:00 -0800
From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: Attila Nagy <bra@fsn.hu>
Cc: Alex Holst <a@area51.dk>, security@FreeBSD.ORG
Subject: Re: pf OR ipf ?
Message-ID: <20020328121200.C97841@blossom.cjclark.org>
References: <20020328064640.GA74780@area51.dk> <Pine.LNX.4.44.0203281308070.2202-100000@scribble.fsn.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.LNX.4.44.0203281308070.2202-100000@scribble.fsn.hu>; from bra@fsn.hu on Thu, Mar 28, 2002 at 01:20:40PM +0100
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Mar 28, 2002 at 01:20:40PM +0100, Attila Nagy wrote:
> Hello,
> 
> > pf currently runs only on OpenBSD. Jordan Hubbard has expressed
> > annoyance with the fact that there are now three filters (ipfw, ipf and
> > pf) so it seems unlikely that FreeBSD is going to port it.
> I'm sad to hear that. I think diversity is a good thing. With FreeBSD if
> you are paranoid you can set up your firewall rules in two packet filters,
> which has a different codebase. So if one fails, it is unlikely that the
> other will too.
> I think it is good to have more than one packet filter in the kernel :)
> 
> With PF some more features could be also ported, like the bridge support.
> And that would be a good thing also.

There is nothing special about PF that makes bridge support
easier. Afterall, there is mature bridging support for IPFilter in
OpenBSD. I also recently committed a hack for IPFilter bridging
support in -CURRENT. I'll put the -STABLE patches on the website
listed in the headers and .sig today if anyone wants 'em.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message