From owner-freebsd-questions@FreeBSD.ORG Sun Jul 20 18:43:03 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3735CB7A; Sun, 20 Jul 2014 18:43:03 +0000 (UTC) Received: from mail2.nber.org (mail2.nber.org [198.71.6.79]) by mx1.freebsd.org (Postfix) with ESMTP id 2D8DD2FA0; Sun, 20 Jul 2014 18:43:01 +0000 (UTC) Received: from nber7.nber.org (nber7.nber.org [198.71.6.41]) by mail2.nber.org (8.14.8/8.14.5) with ESMTP id s6KIZQtY029556 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 20 Jul 2014 14:35:26 -0400 (EDT) (envelope-from feenberg@nber.org) Date: Sun, 20 Jul 2014 14:35:26 -0400 (EDT) From: Daniel Feenberg To: Lars Engels Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? In-Reply-To: <20140720123916.GV96250@e-new.0x20.net> Message-ID: References: <53C706C9.6090506@com.jkkn.dk> <20140718110645.GN87212@FreeBSD.org> <20140718151255.b3e677d9.gerrit.kuehn@aei.mpg.de> <53CA2D39.6000204@sasktel.net> <20140720123916.GV96250@e-new.0x20.net> User-Agent: Alpine 2.11 (LRH 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Anti-Virus: Kaspersky Anti-Virus for Linux Mail Server 5.6.39/RELEASE, bases: 20140401 #7726142, check: 20140720 clean X-Mailman-Approved-At: Sun, 20 Jul 2014 21:20:17 +0000 Cc: krad , Stephen Hurd , freebsd-current@freebsd.org, Gleb Smirnoff , =?ISO-8859-15?Q?Gerrit_K=FChn?= , FreeBSD Mailing List , Matt Bettinger X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Jul 2014 18:43:03 -0000 On Sun, 20 Jul 2014, Lars Engels wrote: > On Sun, Jul 20, 2014 at 12:18:54PM +0100, krad wrote: >> all of that is true, but you are missing the point. Having two versions of >> pf on the bsd's at the user level, is a bad thing. It confuses people, >> which puts them off. Its a classic case of divide an conquer for other >> platforms. I really like the idea of the openpf version, that has been >> mentioned in this thread. It would be awesome if it ended up as a supported >> linux thing as well, so the world could be rid of iptables. However i guess >> thats just an unrealistic dream > > And you don't seem to get the point that _someone_ has to do the work. > No one has stepped up so far, so nothing is going to change. > No one with authority has yet said that "If an updated pf were available, would be welcomed". Rather they have said "An updated pf would not be suitable, as it would be incompatible with existing configuration files". If the latter is indeed the case, there is little incentive for anyone to go to the effort of porting the newer pf. After all, the reward for the work is chiefly in glory, and if there is to be no glory, the work is unlikely to be done. I do not have a horse in this race. Daniel Feenberg NBER