From owner-freebsd-questions@FreeBSD.ORG  Mon Jul 21 21:48:57 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id AC6A5A91;
 Mon, 21 Jul 2014 21:48:57 +0000 (UTC)
Received: from host64.kissl.de (host64.kissl.de [213.239.241.64])
 by mx1.freebsd.org (Postfix) with ESMTP id 67104282B;
 Mon, 21 Jul 2014 21:48:56 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1])
 by host64.kissl.de (Postfix) with ESMTP id 836B7A5A616B;
 Mon, 21 Jul 2014 23:48:49 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at host64.kissl.de
Received: from host64.kissl.de ([127.0.0.1])
 by localhost (host64.kissl.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id nIawy4D6KVv1; Mon, 21 Jul 2014 23:48:49 +0200 (CEST)
Received: from [192.168.0.11] (95-91-254-222-dynip.superkabel.de
 [95.91.254.222]) (Authenticated sender: web104p1)
 by host64.kissl.de (Postfix) with ESMTPSA id 059E0A5A6169;
 Mon, 21 Jul 2014 23:48:48 +0200 (CEST)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ?
From: Franco Fichtner <franco@lastsummer.de>
In-Reply-To: <53CC85E2.1030606@freebsd.org>
Date: Mon, 21 Jul 2014 23:48:49 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <C3581EF3-1F64-4568-8115-3418703ABD00@lastsummer.de>
References: <53C706C9.6090506@com.jkkn.dk>
 <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de>
 <53CB4736.90809@bluerosetech.com> <53CC85E2.1030606@freebsd.org>
To: Julian Elischer <julian@freebsd.org>
X-Mailer: Apple Mail (2.1878.6)
Cc: "Kristian K. Nielsen" <freebsd@com.jkkn.dk>, freebsd-current@freebsd.org,
 Darren Pilgrim <list_freebsd@bluerosetech.com>, freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 21:48:57 -0000

Hi Julian,

On 21 Jul 2014, at 05:15, Julian Elischer <julian@freebsd.org> wrote:

> Most people I talk to just use ipfw and couldn't care whether pf lives =
or dies.  They have simple requirements and almost any filter would =
suffice.  I haven't found anything I'd want to use pf for that ipfw =
doesn't allow me to do. There are things pf does that ipfw doesn't... I =
just never want them..

this is quite insightful.  The gist of this discussion and the apparent
lack of upgrades to pf(4) seem to indicate that:

(a) other packet filters do the required jobs equally or better
    or performance doesn't matter at all.

(b) for more progressive setups and requirements, FreeBSD servers
    may as well be complemented with commercial firewalls, hand-rolled
    or non-FreeBSD solutions

Is that somewhat accurate, or is there more to the story?


Cheers,
Franco=