From owner-freebsd-questions@FreeBSD.ORG Sun Jul 20 04:38:52 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1527232A; Sun, 20 Jul 2014 04:38:52 +0000 (UTC) Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B98A22ECA; Sun, 20 Jul 2014 04:38:51 +0000 (UTC) Received: by mail-qg0-f50.google.com with SMTP id q108so4398430qgd.37 for ; Sat, 19 Jul 2014 21:38:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=MmBoV/zQV53yYq8JccL/45Y65Nk5q9hE2N7cW9pS4/U=; b=eTNk4XPIYvPP9/hlA7+YEgqZb+6aoGlbszlRyIPySsElqB6qSj7Pe3BAiRbpUJQjuw gjQllHCOC+/mdTiQ9ynuRDjqDW7BgK5mG8OOs//ZDLTHgFoNUTj/9g/aDF2vv639x+OB Ockgi3OjbD8htGiuJxyQieOAyk2jS17F2q0qFCbZWu1gjFMAiBHviXfZ9HGt0U8fdf5W Iwlv83UO3d6R8/9RWAH0Phv24Ht0evKUyoYYB4hYiQgx8PtKDIv8RTxrhzJpMYyRRgbT Zc54anvUoUbM1BiPG6jrHz4cDlVBQBgpSxltEz4WDdmC7Fs13bS5Df1UeRoxIxD8uTSU UBxg== MIME-Version: 1.0 X-Received: by 10.224.223.135 with SMTP id ik7mr26732949qab.26.1405831130363; Sat, 19 Jul 2014 21:38:50 -0700 (PDT) Sender: adrian.chadd@gmail.com Received: by 10.224.1.6 with HTTP; Sat, 19 Jul 2014 21:38:50 -0700 (PDT) In-Reply-To: <53CB4736.90809@bluerosetech.com> References: <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> <53CB4736.90809@bluerosetech.com> Date: Sat, 19 Jul 2014 21:38:50 -0700 X-Google-Sender-Auth: abMzYNWNs45dzFVFfgHUd50HS10 Message-ID: Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? From: Adrian Chadd To: Darren Pilgrim Content-Type: text/plain; charset=UTF-8 Cc: "Kristian K. Nielsen" , Franco Fichtner , freebsd-current , FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Jul 2014 04:38:52 -0000 On 19 July 2014 21:36, Darren Pilgrim wrote: > On 7/18/2014 6:51 AM, Franco Fichtner wrote: >>> >>> c) We never got the new syntax from OpenBSD 4.7's pf - at the time a long >>> discussion on the pf-mailing list flamed the new syntax saying it would >>> cause FreeBSD administrators too much headache. Today on the list it seems >>> everyone wants it - so would we rather stay on a dead branch than keep up >>> with the main stream? >> >> >> I'd say many people are comfortable with an old state of pf (silent >> majority), but that shouldn't keep us from catching up with newer >> features (and of course bugfixes). > > > Never mistake silence for consent. > > The vast majority of people don't know pf is outdated and broken on FreeBSD > because they don't know what they're missing and likely aren't using IPv6 > yet. The moment you turn on IPv6 and restart a validating unbound, you run > full-speed into pf's broken behaviour. Make an EDNS0-enabled query for a > signed zone and you'll get a fragmented UDP packet that will never make it > through unless you tell pf to allow all fragments unconditionally. They'll > simply think something is wrong with unbound, turn off EDNS0 and/or > validation, hurt peformance and/or security in the process, and never > realize their firewall is doing literally the worst possible thing it could > do. > > All because over half a decade ago some folks got all butthurt over a config > file format change. if someone wants to port the up to date pf and can fix whatever performance / parallelism issues creep up, then go for it. -a