Date: Mon, 21 Jul 2014 21:57:21 +0800 From: "bycn82" <bycn82@gmail.com> To: "'Andreas Nilsson'" <andrnils@gmail.com>, <sthaug@nethelp.no> Cc: 'Maxim Khitrov' <max@mxcrypt.com>, 'Current FreeBSD' <freebsd-current@freebsd.org>, 'Mailinglists FreeBSD' <freebsd-questions@freebsd.org> Subject: RE: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <002601cfa4eb$b4554270$1cffc750$@gmail.com> In-Reply-To: <CAPS9%2BSsCQr1ME8gX7%2Bh_8s_1wwC3kg-9=_JhynJZ8pM6e5-qYw@mail.gmail.com> References: <CAPS9%2BStPJRVSFLjpxgVEewT9fwHHFxw=qODAYa=uOAzb-V=v2Q@mail.gmail.com> <20140721.074105.74747815.sthaug@nethelp.no> <CAPS9%2BSsSmxZnTF8AEmEmWtGOd_8A%2Bd_8cYUYhuC3OsLYFxGHGQ@mail.gmail.com> <20140721.085616.74744313.sthaug@nethelp.no> <CAPS9%2BSsCQr1ME8gX7%2Bh_8s_1wwC3kg-9=_JhynJZ8pM6e5-qYw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
There is no doubt that PF is a really good firewall, But we should = noticed that there is an ipfw which is originally from FreeBSD while PF = is from OpenBSD. If there is a requirement that PF can meet but ipfw cannot, then I think = it is better to improve the ipfw. But if you just like the PF style, = then I think choose OpenBSD is the better solution. Actually OpenBSD is = another really good operating system.=20 Like myself, I like CentOS and ipfw, so no choice :) > -----Original Message----- > From: owner-freebsd-current@freebsd.org [mailto:owner-freebsd- > current@freebsd.org] On Behalf Of Andreas Nilsson > Sent: 21 July, 2014 19:46 > To: sthaug@nethelp.no > Cc: Maxim Khitrov; Current FreeBSD; Mailinglists FreeBSD > Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? >=20 > On Mon, Jul 21, 2014 at 8:56 AM, <sthaug@nethelp.no> wrote: >=20 > > > > > Also, the openbsd stack has some essential features missing in > > freebsd, > > > > > like mpls and md5 auth for bgp sessions. > > > > > > > > I use MD5 auth for BGP sessions every day (and have been doing = so > > > > for several releases). One could definitely wish for better > > > > integration - having to specify MD5 key both in /etc/ipsec.conf > > > > and in the Quagga bgpd config is not nice. But it works. > > > > > > > As far as I know you can only send out correctly authed stuff but > > > not validate incoming. Has that changed? > > > > Have a look at tcp_signature_verify(), called from tcp_input.c. = Added > > in r221023, see > > > > = http://svnweb.freebsd.org/base/head/sys/netinet/tcp_input.c?view=3Dlog > > > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > > > > = ---------------------------------------------------------------------- > > > > Revision 221023 - (view) (download) (annotate) - [select for diffs] > > Modified Mon Apr 25 17:13:40 2011 UTC (3 years, 2 months ago) by > > attilio File length: 106717 byte(s) Diff to previous 220560 Add the > > possibility to verify MD5 hash of incoming TCP packets. > > As long as this is a costy function, even when compiled in (along = with > > the option TCP_SIGNATURE), it can be disabled via the > > net.inet.tcp.signature_verify_input sysctl. > > > > Sponsored by: Sandvine Incorporated > > Reviewed by: emaste, bz > > MFC after: 2 weeks > > > > I stand corrected. Excellent news ( for me, that is) :) >=20 > Best regards > Andeas > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current- > unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002601cfa4eb$b4554270$1cffc750$>