From owner-freebsd-current@FreeBSD.ORG Sun Apr 14 18:55:50 2013 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id BF6D3F1D; Sun, 14 Apr 2013 18:55:50 +0000 (UTC) (envelope-from lists@rewt.org.uk) Received: from abby.lhr1.as41113.net (hosted.mx.as41113.net [91.208.177.22]) by mx1.freebsd.org (Postfix) with ESMTP id 83136D88; Sun, 14 Apr 2013 18:55:49 +0000 (UTC) Received: from [IPv6:2001:b70:201:300::397] (unknown [IPv6:2001:b70:201:300::397]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: lists@rewt.org.uk) by abby.lhr1.as41113.net (Postfix) with ESMTPSA id 3Zphqx5yNPz1Q2; Sun, 14 Apr 2013 19:55:41 +0100 (BST) Message-ID: <516AFB99.2040007@rewt.org.uk> Date: Sun, 14 Apr 2013 19:55:21 +0100 From: Joe Holden User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: wishmaster Subject: Re: ipfilter(4) needs maintainer References: <20130411201805.GD76816@FreeBSD.org> <7D8ACD5C-821D-4505-82E4-02267A7BA4F8@FreeBSD.org> <96D56EAE-E797-429E-AEC9-42B19B048CCC@FreeBSD.org> <6DEDD3EA-45C1-4549-AA13-5E4F6674BE3E@samsco.org> <2D0B66DB-E232-4F34-9D01-57DF226B9BAA@FreeBSD.org> <2DA4A561-3304-432D-B5D1-7053A27E758F@yahoo.com> <20130414160648.GD96431@in-addr.com> <36562.1365960622.5652758659450863616@ffe10.ukr.net> In-Reply-To: <36562.1365960622.5652758659450863616@ffe10.ukr.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Gary Palmer , "current@freebsd.org" , "net@freebsd.org" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Apr 2013 18:55:50 -0000 wishmaster wrote: > --- Original message --- > From: "Gary Palmer" > Date: 14 April 2013, 19:06:59 > > >> On Sun, Apr 14, 2013 at 09:48:33AM -0600, Warren Block wrote: >>> Is it possible to move ipfilter into a port? >> That may work short term, but the ENOMAINTAINER problem will quickly creep >> up again as kernel APIs change. If the author has lost interest in >> maintaining the FreeBSD port of ipfilter then unless someone steps forward >> to carry on the work, I don't see much of a future for ipfilter in >> FreeBSD >> >> Do we honestly need three packet filters? > > Yes! This is the most clever thought in this thread. Why we need 3 firewalls? Two packet filters it's excess too. > We have two packet filters: one with excellent syntax and functionality but with outdated bandwidth control mechanism (aka ALTQ); another - with nice traffic shaper/prioritization (dummynet)/classification (diffused) but with complicated implementation in not trivial tasks. > May be the next step will be discussion about one packet filter in the system?.. > > Cheers, For non-nat ipfw is still superior in every way, numbered rules (think: scripts), dummynet, much faster than pf, syntax is a lot nicer and predictable... Does anyone even use ipf? it doesn't even work on Linux anymore, junk it and keep pf+ipfw, job done.