From owner-freebsd-pf@FreeBSD.ORG Mon Feb 21 08:18:28 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 212801065673 for ; Mon, 21 Feb 2011 08:18:28 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id AD0098FC1A for ; Mon, 21 Feb 2011 08:18:27 +0000 (UTC) Received: by fxm19 with SMTP id 19so2287537fxm.13 for ; Mon, 21 Feb 2011 00:18:26 -0800 (PST) Received: by 10.223.101.136 with SMTP id c8mr1452515fao.100.1298276306521; Mon, 21 Feb 2011 00:18:26 -0800 (PST) Received: from [10.125.50.221] ([92.90.16.37]) by mx.google.com with ESMTPS id n26sm2277977fam.13.2011.02.21.00.18.21 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 21 Feb 2011 00:18:25 -0800 (PST) References: In-Reply-To: Mime-Version: 1.0 (iPhone Mail 8A293) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <9EFB32D1-489C-44C5-8D70-95685099AC03@my.gd> X-Mailer: iPhone Mail (8A293) From: Damien Fleuriot Date: Mon, 21 Feb 2011 09:17:55 +0100 To: Maxim Khitrov Cc: "freebsd-pf@freebsd.org" Subject: Re: PF from OpenBSD 4.7 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Feb 2011 08:18:28 -0000 On 20 Feb 2011, at 23:16, Maxim Khitrov wrote: > On Sun, Feb 20, 2011 at 4:16 PM, jhell wrote: >>=20 >> On Sun, 20 Feb 2011 13:27, eirnym@ wrote: >>>=20 >>> On 20 February 2011 06:50, jhell wrote: >>>>=20 >>>> On Fri, 18 Feb 2011 03:26, eirnym@ wrote: >>>>>=20 >>>>> I heard while ago about packet filter update coming, but there're no >>>>> news about. Which status of this update? >>>>>=20 >>>>=20 >>>> This was for OpenBSD pf45 not pf47. The patchset should be somewhere in= >>>> the >>>> archives for HEAD. >>>>=20 >>>=20 >>> Differences between pf45 and pf47 are more smaller than between pf45 >>> and current pf. >>>=20 >>> I've found them, but there no status about. Should I ask same question >>> in freebsd-current@ mail list? >>>=20 >>=20 >> Difference being that after pf45 there was a syntax change that is nearly= >> incompatible with the current pf41-45 syntax so AFAIR based on that pf45 w= as >> voted as the most likely to be merged into HEAD. >>=20 >> There is an email from Theo @openbsd.org about the syntactic changes that= >> have made people a little jumpy at adopting pf > 45 but eventually it wil= l >> work its way in. >>=20 >> What advantages to using pf47 over using pf45 have you found in ``real us= e'' >> ? and how realistic are those changes for the masses ? >=20 > The firewall (FreeBSD 7.3) that I manage at work currently contains 36 > nat/rdr rules and 39 filter rules. It's responsible for passing > traffic between 4 different networks. After reading the OpenBSD pf > FAQ, the biggest advantage that I see of pf47+ is the ability to > combine related filter/nat/rdr rules, making the entire ruleset easier > to maintain. >=20 See it another way, you've got as little as 70 rules to maintain, overall. I have 1k ish spread over roughly 20 PF boxes. While I yearn for the ability to use include directives and such, my main co= ncern remains that during an upgrade the risk be minimal. > Personally, I would love to see the latest version of pf make it into > FreeBSD 9 or even one of the 8.x releases. Compatibility with existing > syntax is not as important to me as the ability to simplify my set of > rules. >=20 As a matter of fact and without considering wether this would be doable or n= ot: It would be awesome to be able to choose in the kernel config file the desir= ed version for pf. Have both pf45 and pf47, with the current "pf" entry referring to pf45 not t= o break anything. Would that even be feasible guys ? > - Max > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"