From owner-freebsd-stable@FreeBSD.ORG  Fri May 23 08:25:07 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 64FAB2DE
 for <freebsd-stable@freebsd.org>; Fri, 23 May 2014 08:25:07 +0000 (UTC)
Received: from mail.ultra-secure.de (mail.ultra-secure.de [88.198.178.88])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A4AE920AE
 for <freebsd-stable@freebsd.org>; Fri, 23 May 2014 08:25:05 +0000 (UTC)
Received: (qmail 9757 invoked by uid 89); 23 May 2014 08:24:13 -0000
Received: by simscan 1.4.0 ppid: 9752, pid: 9754, t: 0.0435s
 scanners: attach: 1.4.0 clamav: 0.97.3/m:55/d:19022
Received: from unknown (HELO suse3.ewadmin.local)
 (rainer@ultra-secure.de@212.71.117.1)
 by mail.ultra-secure.de with ESMTPA; 23 May 2014 08:24:13 -0000
Date: Fri, 23 May 2014 10:24:10 +0200
From: Rainer Duffner <rainer@ultra-secure.de>
To: Peter Wemm <peter@wemm.org>
Subject: Re: What is your favourite/best firewall on FreeBSD and why?
Message-ID: <20140523102410.0f61fe0c@suse3.ewadmin.local>
In-Reply-To: <537E7F2F.1050903@wemm.org>
References: <20140520070926.GA92183@The.ie> <537CF293.5010508@sentex.net>
 <537E7F2F.1050903@wemm.org>
X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.22; x86_64-suse-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 May 2014 08:25:07 -0000

Am Thu, 22 May 2014 15:50:23 -0700
schrieb Peter Wemm <peter@wemm.org>:

> The main source of pain we have is that the pf in FreeBSD doesn't do 
> ipv6 fragment processing.  We had to work around this because we have 
> public facing DNS servers behind it and they have to deal with ipv6 
> fragments.


Hi,

can you elaborate on this a bit more (without exposing the security of
the FreeBSD.org cluster)?
The reason I ask is that we're going to implement a new DNS soon'ish
and it will also need to serve IPV6.
It's planned to run pf on the nameservers directly. At least until we
have a commercial firewall that actually does IPV6 better than pf ;-)

Or is there information on the web about this, somewhere?



Thanks in advance
Rainer