From owner-freebsd-questions@FreeBSD.ORG Sat Jul 19 13:50:21 2014 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 18A5D131; Sat, 19 Jul 2014 13:50:21 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.feld.me", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A13C22D75; Sat, 19 Jul 2014 13:50:20 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id e0d4d130; Sat, 19 Jul 2014 08:50:09 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=feld.me; h=content-type :mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:sender; s= blargle2; bh=QEgcu/04F1wFELogP+s5/zHBMA8=; b=qlGWoMhuRyJFymBnXFe CzaJ7fIq7rScooaZlNDj/0bcyyFhdKxnuqZO8XwGYMWfU7aoUadQnayUMhhpXAWM j5EqJpDd0p//PCZUdGm/QzMODiPQeQzVtBLk7bW5eMzj3uWqWVofxSDN4NYKdUQ5 2i/XE/1dL0ZdcBWXk+lLfbMF2MFxTmvjZacE4jVWV5Ent7q5lvA/cS7hycMIJsxK O5GsXzl/QMcy7wZjOOGlrUmEntbVoqMteAUWtAPxSDoXmIsbP9QLzYlO+4qnn15w L+62JViBlsKTwZ702qpZt+gMlb+yaEOpbIeYVIpzhXinImTrGCzghG0AFGUKSjD9 RuA== DomainKey-Signature: a=rsa-sha1; c=nofws; d=feld.me; h=content-type :mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:sender; q= dns; s=blargle2; b=hN550qsLqzesS2i3ni5HKUu5s/M7sgq+2h+mfXa5HTPnD X3GscAe+6iM7FWI7y6bH4RiqUJ7+waDdLj4fkIuN7up2VtBUThUmh8vEdvbtO/nU pvo+2GD6Qa9OBR0JHq6d0zCRB590pHOUMazXIPcbXJop5y8z/Qe2paeCRlHE0WxX V6QsipzGYCmDgcpRM5EK6vqtLdDgc3De+CJsXatF45JJqnMWyrTtRkoXwPKGDvZ+ bz8kRR4AXyP4KDUVVoLyS0HYUCGG1PLQqfimSSq7hPXcRy34GvN4rAcfBIH3eMac 3z6mHRPzEpMXVNIFXsJPwjcvWCnFQ/DfMjRltlhvg== Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id 1c3fb8b0; Sat, 19 Jul 2014 08:50:09 -0500 (CDT) Received: from feld@feld.me by mail.feld.me (Archiveopteryx 3.2.0) with esmtpa id 1405777808-5784-5781/5/2; Sat, 19 Jul 2014 13:50:08 +0000 Content-Type: text/plain Mime-Version: 1.0 Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? From: Mark Felder In-Reply-To: Date: Sat, 19 Jul 2014 08:50:06 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <8E7D9358-29BA-48F9-9067-1BBA48470673@FreeBSD.org> References: <53C706C9.6090506@com.jkkn.dk> <20140718110645.GN87212@FreeBSD.org> <53C9DAA1.4020006@bluerosetech.com> To: Andreas Nilsson X-Mailer: Apple Mail (2.1878.6) Sender: feld@feld.me Cc: Gleb Smirnoff , Darren Pilgrim , Current FreeBSD , Mailinglists FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Jul 2014 13:50:21 -0000 On Jul 19, 2014, at 3:35, Andreas Nilsson wrote: > On Sat, Jul 19, 2014 at 4:40 AM, Darren Pilgrim < > list_freebsd@bluerosetech.com> wrote: >=20 >> On 7/18/2014 4:06 AM, Gleb Smirnoff wrote: >>=20 >>> K> b) We are a major release away from OpenBSD (5.6 coming soon) - is >>> K> following OpenBSD's pf the past? - should it be? >>>=20 >>> Following OpenBSD on features would be cool, but no bulk imports >>> would be made again. Bulk imports produce bad quality of port, >>> and also pf in OpenBSD has no multi thread support. >>>=20 >>=20 >> I would much rather have a slower pf that actually supports modern >> networking than a faster one I can't use due to showstopper flaws and >> missing features. >>=20 >=20 > So would I. Not that we use pf, but anyway. >=20 >>=20 >> There is currently no viable firewall module for FreeBSD if you want = to do >> things like route IPv6. >=20 >=20 > Isn't that possible with ipfw? >=20 > Perhaps the pf guys in OpenBSD could be convinced to start openpf and = have > porting layer as in openzfs. >=20 I do not know ipfw IPv6 limitations, but the Wikipedia article says: * IPv6 support (with several limitations) Choice is nice, but I would like to see the project promote one firewall = to users. My coworkers long ago jumped ship from ipfw to pf and I know = regret that decision due to the IPv6 bugs. At this point it's too hard = to migrate all the servers off of pf.