From owner-freebsd-security@FreeBSD.ORG Mon Mar 4 14:12:57 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id CAD0AF71 for ; Mon, 4 Mar 2013 14:12:57 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id A29A31A8C for ; Mon, 4 Mar 2013 14:12:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Content-Transfer-Encoding:Mime-Version:Date:References:Subject:To:Content-Type; bh=Yz9LTvJPre7hg0TSSSkSUhLpewRwjpFTYhJL0RaQIdY=; b=EgXRUm72cLX5MrTCX1IxdwvAMMEHCV3bPn5V6AJJLQBo9JoTZMJcwVir3GGae/QDQZAvsvazhSJbwZyu4PfXynzUcfEz+UUkuRUFWa8jPalIzsrghNnIR5l8/fXjIT57; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1UCW8M-0003fc-7K; Mon, 04 Mar 2013 08:12:54 -0600 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpsa id 1362406368-4517-92584/5/1; Mon, 4 Mar 2013 14:12:48 +0000 Content-Type: text/plain; format=flowed; delsp=yes To: freebsd-security@freebsd.org, Robert Simmons Subject: Re: Firewall Options References: Date: Mon, 4 Mar 2013 08:12:48 -0600 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Mark Felder Message-Id: In-Reply-To: User-Agent: Opera Mail/12.13 (FreeBSD) X-SA-Report: ALL_TRUSTED=-1, KHOP_THREADED=-0.5 X-SA-Score: -1.5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 14:12:57 -0000 On Sun, 03 Mar 2013 17:12:18 -0600, Robert Simmons = =20 wrote: > Are there plans to update ipfilter or pf to current versions? > ipfilter is currently at 5.1.2, but the version in FreeBSD is 4.1.28 > from 2007. > > On the pf side, the version in FreeBSD is 4.5, but the current version > I would understand to be 5.2. The version in FreeBSD is pre-4.7, so > much of the syntax in the current documentation is different and does > not work in this older version. > > Is IPFW the only maintained firewall option, or is there a way to > build either of the above as ports? > It takes a *lot* of work to re-port packet filters to a different BSD =20 kernel and ensure everything works perfectly. We recently received a = nice =20 pf version bump with the release of 9.0 and it doesn't seem likely we'll = =20 see another soon. There is an SMP-friendly fork of pf in progress for =20 FreeBSD. It may very well turn out that FreeBSD's pf completely diverges = =20 from OpenBSD's permanently as OpenBSD has no interest in an SMP-friendly= =20 pf. http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html As for IPFW -- I honestly don't know. I can't remember the last time = there =20 was a major update of IPFW for FreeBSD.