From owner-freebsd-current@FreeBSD.ORG Tue Nov 20 14:43:27 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6A91F8C9; Tue, 20 Nov 2012 14:43:27 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) by mx1.freebsd.org (Postfix) with ESMTP id C50D08FC13; Tue, 20 Nov 2012 14:43:26 +0000 (UTC) Received: from amavis-proxy-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3Y5V5n0ntmzGMgj; Tue, 20 Nov 2012 15:43:25 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= message-id:content-transfer-encoding:content-type:content-type :mime-version:in-reply-to:references:user-agent:date:date :subject:subject:organization:from:from:received:received :received:vbr-info; s=jakla2; t=1353422598; x=1356014599; bh=eEw QmbnmfGv+I5LmtyjfzYG67Iv9e6xlh8zdX6dFndE=; b=eh7vXC4AeqzGc4fXrt0 zgmRiRHWp1eUv1PC9XdcsykWqL9xmfQ0nKpC68UVZDCWSbcybslps7ebpyprbTq1 PH4bT2fgJG/1TMFQ/upOp66VKYJfDUnrWI3gdXFxMm9X8S8EXk73VaIch3eKmD+t De87YhCJ5DxBjg8iwr01+ONA= VBR-Info: md=ijs.si; mc=all; mv=dwl.spamhaus.org; X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-proxy-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10012) with ESMTP id 4fOdnWBJvtQa; Tue, 20 Nov 2012 15:43:18 +0100 (CET) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP; Tue, 20 Nov 2012 15:43:18 +0100 (CET) Received: from neli.ijs.si (unknown [IPv6:2001:1470:ff80:0:21c:c0ff:feb1:8c91]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mildred.ijs.si (Postfix) with ESMTPSA id 45A7B11D; Tue, 20 Nov 2012 15:43:18 +0100 (CET) From: Mark Martinec Organization: J. Stefan Institute To: freebsd-pf@freebsd.org Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. Date: Tue, 20 Nov 2012 15:43:17 +0100 User-Agent: KMail/1.13.7 (FreeBSD/9.1-PRERELEASE; KDE/4.8.4; amd64; ; ) References: In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201211201543.17903.Mark.Martinec+freebsd@ijs.si> Cc: freebsd-current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 14:43:27 -0000 Paul Webster wrote: > I am aware this is a much discussed subject since the upgrade of PF, > I believe the final decision was that too many users are used to the old > style pf and an upgrade to the new syntax would cause too much confusion. I don't buy that. Think of a confusion in a year of two when OpenBSD PF rules and the PF documentation won't match the legacy syntax in FreeBSD's PF. Maxim Khitrov wrote: > > 1) To move to the newer pf and just add to releases notes what had > > happened, > My vote is for option 1, but I'll also be happy with option 2 if it > costs little to maintain both versions. I'm pretty much for anything > that brings pf in sync (or close to it) with OpenBSD. My sentiments exactly. Olivier Smedts wrote: > But a change like this is expected in a new major branch, ie. > 10-CURRENT. Not so in -STABLE branches of course. I don't see the > problem here. Indeed. Gary Palmer wrote: > So you don't expect people to upgrade boxes in place? > I also guess you've never been 5,000 miles away from a box and typo'd > something in the firewall and locked yourself out. The think how tons > of FreeBSD users would feel if the default pf syntax was changed to be > incompatible and they find themselves in a similar situation after an > upgrade. The risk of locking oneself out even on minor fiddling with fw rules on a remote machine, let alone upgrading its OS, is something that every administrator is already aware if. Working without a safety net is unwise for a hobbyist, and unacceptable for a professional. I don't think the above argument holds water. Olivier Smedts wrote: > Another question : how did OpenBSD managed this change ? This is from http://www.openbsd.org/faq/upgrade46.html | | If you reboot your system without a usable pf.conf file in place, your pf | rules will not be loaded, and you will end up using the default rule set, | which will block all traffic EXCEPT for ssh over the standard port 22. | This means that if you do not fix your pf.conf rules before rebooting, | you may be greeted by a box that does not even respond to pings. | Do not panic, as you can still ssh to the box, assuming you have sshd(8) | listening on the usual port. Gary Palmer wrote: > The other question that I haven't seen answered (or maybe even asked), but > is relevant: what do we gain by going to a later version of pf? I.e. as an > administrator, what benefit do I get by having to expend effort converting > my filter rules? For one thing, I'm desperately awaiting NAT64 support (the 'af-to' translation rule in newer pf (5.1?), committed on 2011-10). Other: packet normalization (scrub) has been reworked and simplified, and is now a rulset option. Considering that scrub is currently broken (9.1, see list of PF bugs in FreeBSD), along with several other bugs that need fixing, it seems the (scarce) manpower would better be spent in moving on, than keeping the already leaky (buggy) pf afloat. I think the compatibility issue should not be used as an excuse for not moving on. You can't make an omelette without breaking eggs. Mark