From owner-freebsd-questions@FreeBSD.ORG Sun Jul 20 04:36:26 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 181A7174; Sun, 20 Jul 2014 04:36:26 +0000 (UTC) Received: from yoshi.brtsvcs.net (yoshi.brtsvcs.net [IPv6:2607:f2f8:a450::66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F2DF42EA7; Sun, 20 Jul 2014 04:36:25 +0000 (UTC) Received: from chombo.houseloki.net (c-73-37-112-64.hsd1.or.comcast.net [73.37.112.64]) by yoshi.brtsvcs.net (Postfix) with ESMTPSA id 997E0E603E; Sat, 19 Jul 2014 21:36:19 -0700 (PDT) Received: from [IPv6:2601:7:2280:38b:baca:3aff:fe83:bd29] (unknown [IPv6:2601:7:2280:38b:baca:3aff:fe83:bd29]) by chombo.houseloki.net (Postfix) with ESMTPSA id 97842DA; Sat, 19 Jul 2014 21:36:17 -0700 (PDT) Message-ID: <53CB4736.90809@bluerosetech.com> Date: Sat, 19 Jul 2014 21:36:06 -0700 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Franco Fichtner , "Kristian K. Nielsen" Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? References: <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> In-Reply-To: <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org, freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Jul 2014 04:36:26 -0000 On 7/18/2014 6:51 AM, Franco Fichtner wrote: >> c) We never got the new syntax from OpenBSD 4.7's pf - at the time a long discussion on the pf-mailing list flamed the new syntax saying it would cause FreeBSD administrators too much headache. Today on the list it seems everyone wants it - so would we rather stay on a dead branch than keep up with the main stream? > > I'd say many people are comfortable with an old state of pf (silent > majority), but that shouldn't keep us from catching up with newer > features (and of course bugfixes). Never mistake silence for consent. The vast majority of people don't know pf is outdated and broken on FreeBSD because they don't know what they're missing and likely aren't using IPv6 yet. The moment you turn on IPv6 and restart a validating unbound, you run full-speed into pf's broken behaviour. Make an EDNS0-enabled query for a signed zone and you'll get a fragmented UDP packet that will never make it through unless you tell pf to allow all fragments unconditionally. They'll simply think something is wrong with unbound, turn off EDNS0 and/or validation, hurt peformance and/or security in the process, and never realize their firewall is doing literally the worst possible thing it could do. All because over half a decade ago some folks got all butthurt over a config file format change.