From owner-freebsd-current@FreeBSD.ORG Tue Jul 22 05:02:32 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9C6F06F5; Tue, 22 Jul 2014 05:02:32 +0000 (UTC) Received: from mail-pa0-x234.google.com (mail-pa0-x234.google.com [IPv6:2607:f8b0:400e:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 67EF72A47; Tue, 22 Jul 2014 05:02:32 +0000 (UTC) Received: by mail-pa0-f52.google.com with SMTP id bj1so11110125pad.25 for ; Mon, 21 Jul 2014 22:02:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-type:content-transfer-encoding:thread-index :content-language; bh=VbsV4FOr4jLhRlKe48QH2hLNi2xecU6aJdO5sUZy6eE=; b=pjdd0KPHLZd1VeC46Furi/4s+9NJkrBU1xurfrRLWtmsghTUfD8El2Xm2yonL7ZLET PEY4ATvgxJkQWstsS4Q5+4BMUzPDdzd92fz9WRK6HrgwrasLmtSvZlt2r3FsV59TJoAh wSOiTETid6eWSWggKrWahboU+BczD1N+KtmKM8VW6ppqzHggXom3Mf3ybmgQUKsgJzkq s/onD0pNSLdxZYY03DiMYvrWnUw7Let+cNvAwCiz30q/k7wW5T24TGpHXaHdmUcos9PZ Pi7/S/1xu/DrHlGteuvt0o9hrKxvlrPdaRDk8rz3g7jCtoERLBS/G79y1RAu9CtvYL3f 26NQ== X-Received: by 10.68.94.130 with SMTP id dc2mr13733790pbb.113.1406005351491; Mon, 21 Jul 2014 22:02:31 -0700 (PDT) Received: from billwin7 (amx-tls2.starhub.net.sg. [203.116.164.12]) by mx.google.com with ESMTPSA id qp12sm21476221pdb.82.2014.07.21.22.02.29 for (version=TLSv1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 21 Jul 2014 22:02:30 -0700 (PDT) From: "bycn82" To: "'Allan Jude'" , References: <20140721.074105.74747815.sthaug@nethelp.no> <20140721.085616.74744313.sthaug@nethelp.no> <002601cfa4eb$b4554270$1cffc750$@gmail.com> <53CD9E79.2060201@freebsd.org> In-Reply-To: <53CD9E79.2060201@freebsd.org> Subject: RE: Future of pf / firewall in FreeBSD ? - does it have one ? Date: Tue, 22 Jul 2014 13:02:26 +0800 Message-ID: <002e01cfa56a$23ef3770$6bcda650$@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQI/50tpYfGwpMKNeBPkSOvXVI/2jQIrBaeAAroD+/YB+jKkdAEPYalNAYsix1gB0e/oQZpwoOLg Content-Language: en-us X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2014 05:02:32 -0000 i thought the nat in ipfw is as elegant as in iptables :) but it is good to know that because different opinion actually is a = chance to improve. and why not share with us why the ipfw nat is cumbersome or how to be = not cumbersome. > -----Original Message----- > From: owner-freebsd-current@freebsd.org [mailto:owner-freebsd- > current@freebsd.org] On Behalf Of Allan Jude > Sent: 22 July, 2014 7:13 > To: freebsd-current@freebsd.org > Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? >=20 > On 2014-07-21 09:57, bycn82 wrote: > > There is no doubt that PF is a really good firewall, But we should > noticed that there is an ipfw which is originally from FreeBSD while = PF > is from OpenBSD. > > > > If there is a requirement that PF can meet but ipfw cannot, then I > think it is better to improve the ipfw. But if you just like the PF > style, then I think choose OpenBSD is the better solution. Actually > OpenBSD is another really good operating system. > > > > Like myself, I like CentOS and ipfw, so no choice :) > > > > >=20 > The only thing I've really found lacking in IPFW is the NAT > implementation. Specifically, when trying to do port-forwarding. All = of > the rules have to go in the single 'ipfw nat' rule, and it makes it > cumbersome to manage. >=20 >=20 > -- > Allan Jude