Date: Wed, 17 Dec 2014 18:47:40 -0600 From: Jim Thompson <jim@netgate.com> To: Christopher Petrik <chris@bsdjunk.com> Cc: freebsd-pf@freebsd.org Subject: Re: Alternative to pf? Message-ID: <4F19F7E8-0286-4F2F-B4E3-9DCB8B3BFF9B@netgate.com> In-Reply-To: <20141218001656.GA18291@bsdjunk.com> References: <7be936232e96ae10d9734598014fd9d5@pyret.net> <20141218001656.GA18291@bsdjunk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Dec 17, 2014, at 6:16 PM, Christopher Petrik <chris@bsdjunk.com> = wrote: >=20 > On Thu, Dec 18, 2014 at 12:43:59AM +0100, Daniel Engberg wrote: >> Hi, >>=20 >> During the year there has been several discussions regarding the = state of pf >> in FreeBSD. In most cases it seems to boil down to that it's too >> hard/time-consuming to bring upstream patches from OpenBSD to = FreeBSD. As >> it's been mentioned Apple seems to update pf somewhat (copyright is = changed >> to 2013 at least) and file size differs between OS X releases but I = wasn't >> able to find any commit logs. >>=20 >> That said, NetBSD have something similar to pf in syntax called npf = which >> seems actively maintained and the author seems open to the idea of = porting >> it to FreeBSD. >> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 >> However I'm not certain that it surpasses our current pf in terms of >> functionality in all cases (apart from the firewalling ALTQ comes to = mind >> etc). >> Perhaps this might be worth looking into and in the end drop pf due = to the >> reasons above? >>=20 >> That said, don't forget all the work that has gone into getting pf = where it >> is today. >> While I'm at it, does anyone else than me use ALTQ? While it's not >> multithreaded I find a very good "tool" and it does shaping really = well. >>=20 >> Best regards, >> Daniel >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi, > I think the real question is, "Do we really need so many firewall = suites > in FreeBSD" we have ipfw, ipf, pf I think the solution would be to = port > npf as it's bases is to be portable. I use it and it takes some = getting > used to but it looks promising. But then this creates a 4th suite to = add > into FreeBSD ? We could =E2=80=98port=E2=80=99 it to run on top of netmap (like the = version of ipfw that runs over netmap). Then it=E2=80=99s not necessarily =E2=80=9Cin=E2=80=9D FreeBSD. Jim=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F19F7E8-0286-4F2F-B4E3-9DCB8B3BFF9B>