Date: Thu, 28 Mar 2002 12:12:00 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Attila Nagy <bra@fsn.hu> Cc: Alex Holst <a@area51.dk>, security@FreeBSD.ORG Subject: Re: pf OR ipf ? Message-ID: <20020328121200.C97841@blossom.cjclark.org> In-Reply-To: <Pine.LNX.4.44.0203281308070.2202-100000@scribble.fsn.hu>; from bra@fsn.hu on Thu, Mar 28, 2002 at 01:20:40PM %2B0100 References: <20020328064640.GA74780@area51.dk> <Pine.LNX.4.44.0203281308070.2202-100000@scribble.fsn.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 28, 2002 at 01:20:40PM +0100, Attila Nagy wrote:
> Hello,
>
> > pf currently runs only on OpenBSD. Jordan Hubbard has expressed
> > annoyance with the fact that there are now three filters (ipfw, ipf and
> > pf) so it seems unlikely that FreeBSD is going to port it.
> I'm sad to hear that. I think diversity is a good thing. With FreeBSD if
> you are paranoid you can set up your firewall rules in two packet filters,
> which has a different codebase. So if one fails, it is unlikely that the
> other will too.
> I think it is good to have more than one packet filter in the kernel :)
>
> With PF some more features could be also ported, like the bridge support.
> And that would be a good thing also.
There is nothing special about PF that makes bridge support
easier. Afterall, there is mature bridging support for IPFilter in
OpenBSD. I also recently committed a hack for IPFilter bridging
support in -CURRENT. I'll put the -STABLE patches on the website
listed in the headers and .sig today if anyone wants 'em.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020328121200.C97841>