From owner-freebsd-net@FreeBSD.ORG Mon May 20 23:08:09 2013 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id EC226542 for ; Mon, 20 May 2013 23:08:09 +0000 (UTC) (envelope-from lkchen@k-state.edu) Received: from ksu-out.merit.edu (ksu-out.merit.edu [207.75.117.132]) by mx1.freebsd.org (Postfix) with ESMTP id B97E8FFF for ; Mon, 20 May 2013 23:08:09 +0000 (UTC) X-Merit-ExtLoop1: 1 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgEFAAOsmlHPS3TT/2dsb2JhbABagwiDa78WFnSCJiNxGgINGQJZNYdxnAeOZok9iA6BJoxWgUKCK4ETA6h4gyuBTjw X-IronPort-AV: E=Sophos;i="4.87,711,1363147200"; d="scan'208";a="48700694" X-MERIT-SOURCE: KSU Received: from ksu-sfpop-mailstore02.merit.edu ([207.75.116.211]) by sfpop-ironport03.merit.edu with ESMTP; 20 May 2013 19:08:02 -0400 Date: Mon, 20 May 2013 19:08:02 -0400 (EDT) From: "Lawrence K. Chen, P.Eng." To: net@freebsd.org Message-ID: <380998552.18795251.1369091282251.JavaMail.root@k-state.edu> In-Reply-To: <20130419100620.GA94200@babolo.ru> Subject: Re: ipfilter(4) needs maintainer MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [70.179.144.108] X-Mailer: Zimbra 7.2.2_GA_2852 (ZimbraWebClient - GC27 ([unknown])/7.2.2_GA_2852) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 May 2013 23:08:10 -0000 I'm late into this discussion, but I guess I'm glad that ipfilter will continue in FreeBSD.... It has only been since last summer that we've gotten our first production FreeBSD server. Several of us in the sysadmin team have been behind the possibility to varying degrees. We had pitched it an option to a federal site that we support, that was looking to replace their aging Solaris server. They had come to like ZFS and Zones in Solaris 10, but wanted to maximize performance and work within their declining IT budget, so going to FreeBSD with ZFS and jails seemed ideal. One day it suddenly appeared.... I was able to get up to speed and quickly adapt most of our configuration management system (cfengine2) to support FreeBSD 9 (before this I had only used FreeBSD 2 -- ran a Free-Net.) In the area of host based firewall, pretty much the only changes for FreeBSD was /usr/sbin/ipf vs /sbin/ipf and SMF vs /etc/rc.d. Having to support another firewall in our configuration generation process would've been a problem (though it is in need of a rewrite, which it may get since its likely we'll be moving to chef in the near future.) While personally, I would likely have adapted to using something else on my home system since I had played a little bit with ipfw and pf while investigating a performance problem of doing policy based routing to be able to have a jail with a different gateway. Which was resolved by using FIBs. And, I've been thinking of replacing my dd-wrt routers with pfsense.... And, I'm staying with cfengine3 for configuration management of my home systems, even though management has decided that we will go with chef ... because it might have some interesting features (and does things that requires purchasing the enterprise edition of cfengine3), though it doesn't do some of the processes that are critical to our current processes. We're still using cfengine2 at work, though I've heard that getting server upgraded to cfengine3 is nearly done. Though sounds like to get us on board, they'll send us to chef training....(or bring training on site)