From owner-freebsd-security@FreeBSD.ORG Mon Mar 4 22:55:20 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CD30D17C for ; Mon, 4 Mar 2013 22:55:20 +0000 (UTC) (envelope-from koornstra@hp.com) Received: from g4t0015.houston.hp.com (g4t0015.houston.hp.com [15.201.24.18]) by mx1.freebsd.org (Postfix) with ESMTP id 96207153 for ; Mon, 4 Mar 2013 22:55:20 +0000 (UTC) Received: from G4W6310.americas.hpqcorp.net (g4w6310.houston.hp.com [16.210.26.217]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by g4t0015.houston.hp.com (Postfix) with ESMTPS id 5C25A85F0; Mon, 4 Mar 2013 22:35:48 +0000 (UTC) Received: from G9W3611.americas.hpqcorp.net (16.216.186.46) by G4W6310.americas.hpqcorp.net (16.210.26.217) with Microsoft SMTP Server (TLS) id 14.2.328.9; Mon, 4 Mar 2013 22:34:58 +0000 Received: from G9W0725.americas.hpqcorp.net ([169.254.8.216]) by G9W3611.americas.hpqcorp.net ([16.216.186.46]) with mapi id 14.02.0328.009; Mon, 4 Mar 2013 22:34:58 +0000 From: "Koornstra, Reinoud" To: Mark Felder , "freebsd-security@freebsd.org" , Robert Simmons Subject: RE: Firewall Options Thread-Topic: Firewall Options Thread-Index: AQHOGGSaV14s/s7GCUmh6k3dZ9J7tZiVk+kAgACKqsA= Date: Mon, 4 Mar 2013 22:34:58 +0000 Message-ID: <0EEF6678B3EEC94B9AE44705DF224D023697268C@G9W0725.americas.hpqcorp.net> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [15.201.58.14] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 04 Mar 2013 23:18:50 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 22:55:20 -0000 Hi Mark, Why not consider NPF from NetBSD where SMP friendly firewalling is a given. I do understand it'll cost lots of work too, but it might be more easy to m= aking pf SMP friendly. Then again, making software MPsafe and having it perform very well with SMP= are two different things. Considering NPF has been taking this into account from day one, performance= wise it might be best to consider NPF. Please note that I didn't say anything about the quality or functionality a= bout pf and npf. NPF was designed with performance in mind. Also I did not say anything about the memory usage and their efficiency in = that field. I feel I need to point these things about before I unintentionally offend s= ome people. Thanks, Reinoud. -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@fre= ebsd.org] On Behalf Of Mark Felder Sent: Monday, March 04, 2013 6:13 AM To: freebsd-security@freebsd.org; Robert Simmons Subject: Re: Firewall Options On Sun, 03 Mar 2013 17:12:18 -0600, Robert Simmons wrote: > Are there plans to update ipfilter or pf to current versions? > ipfilter is currently at 5.1.2, but the version in FreeBSD is 4.1.28=20 > from 2007. > > On the pf side, the version in FreeBSD is 4.5, but the current version=20 > I would understand to be 5.2. The version in FreeBSD is pre-4.7, so=20 > much of the syntax in the current documentation is different and does=20 > not work in this older version. > > Is IPFW the only maintained firewall option, or is there a way to=20 > build either of the above as ports? > It takes a *lot* of work to re-port packet filters to a different BSD kerne= l and ensure everything works perfectly. We recently received a nice pf ver= sion bump with the release of 9.0 and it doesn't seem likely we'll see anot= her soon. There is an SMP-friendly fork of pf in progress for FreeBSD. It m= ay very well turn out that FreeBSD's pf completely diverges from OpenBSD's= permanently as OpenBSD has no interest in an SMP-friendly pf. http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html As for IPFW -- I honestly don't know. I can't remember the last time there = was a major update of IPFW for FreeBSD. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/= listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"