Date: Tue, 20 Nov 2012 13:24:49 +0100 From: Olivier Smedts <olivier@gid0.org> To: Gary Palmer <gpalmer@freebsd.org> Cc: Paul Webster <paul.g.webster@googlemail.com>, freebsd-current@freebsd.org Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. (Copied from freebsd-pf) Message-ID: <CABzXLYPNj3FxpsPZ5gO_p5kjFX441m3zpKT9eHRyXvXEyjpqjw@mail.gmail.com> In-Reply-To: <20121120121333.GB88593@in-addr.com> References: <op.wn1vxr1jjfousr@box.dlink.com> <CABzXLYPYtQanh5O6%2BTH0=e46P990iXcDoB0apY_BOtzmn9-S7Q@mail.gmail.com> <20121120121333.GB88593@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2012/11/20 Gary Palmer <gpalmer@freebsd.org>:
> On Tue, Nov 20, 2012 at 11:43:04AM +0100, Olivier Smedts wrote:
>> 2012/11/20 Paul Webster <paul.g.webster@googlemail.com>:
>> > I am aware this is a much discussed subject since the upgrade of PF, I
>> > believe the final decision was that to many users are used to the old
>> > style pf and an upgrade to the new syntax would cause to much confusion.
>>
>> But a change like this is expected in a new major branch, ie.
>> 10-CURRENT. Not so in -STABLE branches of course. I don't see the
>> problem here.
>
> So you don't expect people to upgrade boxes in place?
I expect that before upgrading to a *major* version you should read an
updating or "what's changed" documentation.
> I also guess you've never been 5,000 miles away from a box and typo'd something
> in the firewall and locked yourself out. The think how tons of FreeBSD
> users would feel if the default pf syntax was changed to be incompatible and
> they find themselves in a similar situation after an upgrade. Defaulting to
> open, while it could solve the problem (although I would suspect there could
> be edge cases where it doesn't), could be bad for other reasons.
This already happened to me but, no, not during a major upgrade
because I won't do this kind of work without at least someone on-site.
> The other question that I haven't seen answered (or maybe even asked), but
> is relevant: what do we gain by going to a later version of pf? I.e. as an
> administrator, what benefit do I get by having to expend effort converting
> my filter rules?
>
> Gary
At some time we'll surely *have* to upgrade our pf, because the legacy
version won't be supported upstream. I say that a major release is the
most appropriated place for such a change.
Another question : how did OpenBSD managed this change ?
Cheers
--
Olivier Smedts _
ASCII ribbon campaign ( )
e-mail: olivier@gid0.org - against HTML email & vCards X
www: http://www.gid0.org - against proprietary attachments / \
"Il y a seulement 10 sortes de gens dans le monde :
ceux qui comprennent le binaire,
et ceux qui ne le comprennent pas."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABzXLYPNj3FxpsPZ5gO_p5kjFX441m3zpKT9eHRyXvXEyjpqjw>