Date: Fri, 21 Jun 2013 23:24:00 -0400 From: Maxim Khitrov <max@mxcrypt.com> To: Stan Gammons <s_gammons@charter.net> Cc: freebsd-pf@freebsd.org Subject: Re: PF bugs Message-ID: <CAJcQMWdAqO827TUmh6rRYQkPvuimXBBC4CcoGWf_Sc-x%2B7aT3A@mail.gmail.com> In-Reply-To: <1371865788.22524.9.camel@localhost> References: <1371865788.22524.9.camel@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 21, 2013 at 9:49 PM, Stan Gammons <s_gammons@charter.net> wrote: > I see there are several PF bugs and wondered if it's because PF isn't > maintained on FreeBSD? Perhaps that's the case given the version > differences versus PF on OpenBSD. If not, is Ipfilter the "preferred" > firewall on FreeBSD? Or is IPFW? I like PF, but reporting utilities > for it, compared to ipfilter and even iptables on Linux, leave a bit to > be desired. > > > Stan For what it's worth, I've been gradually migrating the few firewalls that I maintain to OpenBSD. FreeBSD pf is fine, and it's what I use for protecting individual servers, but I find that the new syntax, which was introduced after OpenBSD 4.5, produces rulesets that are more compact and easier to maintain when it comes to routing traffic between networks. The new priority queuing (set prio) is much simpler than ALTQ (and should perform better, though I haven't tested this). I'm also looking forward to the work that's being done to free HFSC from ALTQ and make it understandable and usable by mere mortals. PF is still my choice on FreeBSD and I've never had any issues with the tools (pfctl and pftop primarily), but OpenBSD's version is more actively maintained and improved. There have been plenty of discussions about porting a more recent version of pf to FreeBSD (search the archives) and it doesn't look like that will happen any time soon. If you'd like to understand the differences between the two, below are a few presentations on the topic: Faster Packets - Performance Tuning in the OpenBSD network stack and pf http://quigon.bsws.de/papers/2009/eurobsdcon-faster_packets/ http://www.youtube.com/watch?v=yqG67o4bYgY 10 years of pf http://quigon.bsws.de/papers/2011/pf10yrs/ http://cisx1.uma.maine.edu/~wbackman/bsdtalk/BSDCan2011/10YearsofPF.mp3 OpenBSD network stack evolution http://quigon.bsws.de/papers/2012/bsdcan/ http://www.youtube.com/watch?v=r6Nx15UGWZc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJcQMWdAqO827TUmh6rRYQkPvuimXBBC4CcoGWf_Sc-x%2B7aT3A>