Date: Wed, 17 Dec 2014 18:47:40 -0600 From: Jim Thompson <jim@netgate.com> To: Christopher Petrik <chris@bsdjunk.com> Cc: freebsd-pf@freebsd.org Subject: Re: Alternative to pf? Message-ID: <4F19F7E8-0286-4F2F-B4E3-9DCB8B3BFF9B@netgate.com> In-Reply-To: <20141218001656.GA18291@bsdjunk.com> References: <7be936232e96ae10d9734598014fd9d5@pyret.net> <20141218001656.GA18291@bsdjunk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Dec 17, 2014, at 6:16 PM, Christopher Petrik <chris@bsdjunk.com> wrote: > > On Thu, Dec 18, 2014 at 12:43:59AM +0100, Daniel Engberg wrote: >> Hi, >> >> During the year there has been several discussions regarding the state of pf >> in FreeBSD. In most cases it seems to boil down to that it's too >> hard/time-consuming to bring upstream patches from OpenBSD to FreeBSD. As >> it's been mentioned Apple seems to update pf somewhat (copyright is changed >> to 2013 at least) and file size differs between OS X releases but I wasn't >> able to find any commit logs. >> >> That said, NetBSD have something similar to pf in syntax called npf which >> seems actively maintained and the author seems open to the idea of porting >> it to FreeBSD. >> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 >> However I'm not certain that it surpasses our current pf in terms of >> functionality in all cases (apart from the firewalling ALTQ comes to mind >> etc). >> Perhaps this might be worth looking into and in the end drop pf due to the >> reasons above? >> >> That said, don't forget all the work that has gone into getting pf where it >> is today. >> While I'm at it, does anyone else than me use ALTQ? While it's not >> multithreaded I find a very good "tool" and it does shaping really well. >> >> Best regards, >> Daniel >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi, > I think the real question is, "Do we really need so many firewall suites > in FreeBSD" we have ipfw, ipf, pf I think the solution would be to port > npf as it's bases is to be portable. I use it and it takes some getting > used to but it looks promising. But then this creates a 4th suite to add > into FreeBSD ? We could ‘port’ it to run on top of netmap (like the version of ipfw that runs over netmap). Then it’s not necessarily “in” FreeBSD. Jim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F19F7E8-0286-4F2F-B4E3-9DCB8B3BFF9B>