PF import FAQ [Re: cvs commit: src/sys/contrib/pf/net if_pflog.c
if_pflog.h if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c
pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinetin4_cksum.c]
Max Laier
max at love2party.net
Thu Feb 26 10:30:10 PST 2004
Hi,
to answer some of the questions and concerns raised in the discussion here
(and in private mail to me):
Q: Does that mean ipfw(6)/ipfilter will be removed?
A: Not if I have to decide, which I have not ... luckyly.
Q: Why for haven's sake do we include another firewall?
A: Because we can! Fact is, that addition of pf does not mess any existing
code. It is encapsulated inside the pfil(9) api and could be maintained
as third-party code in the ports-tree. Still, it is my belief that the
addition of pf to the base system has benefits: Possible to build it in
the kernel (which is somewhat comforting for a firewall), it will be
catched by tinderbox builds (i.e. track changes in the kernel api) and
so forth. It boils down to: It's just more convenient for both user and
developer!
Q: Are there plans to unify the firewalls/create *the* firewall?
A: No. It seems there are plans to glue ipfw with it's IPv6 part (see
Luigi's msg on this thread before), but there will not be one unified
kernel firewall thing doing all of ipfw/ipf/pf/... in near future.
Keep in mind that every firewall has it's own (dis)advantages, some in
implementation which can be lifted, some in design and that it is the
differentses between them that make them especially useful for a
certain job. Choice is the key here.
Q: Will ALTQ and/or CARP come as well?
A: Both is on my list, but not with a high priority or ready-made plans.
It is ture that pf gains a lot from coupling with ALTQ and CARP rounds
that up even more, still I like to take one step at a time and the
current step is pf. If you are curious about ALTQ check out the altq
project at rofug: http://www.rofug.ro/projects/freebsd-altq/
Q: Will there be a NO_PF knob?
A: Definitely! The build infrastructure will not be too different from
what ipf does now.
Q: What are the technical arguments for pf again?
A: Activ development! State of the art feature list, steadily increasing.
High performance stateful inspection, stateful (in-kernel) NAT/redirect
and load-balancing, DoS prevention (synproxy, per-rule/-state limits),
flexible "high-level" syntax, structured rulesets with anchors, dynamic
address tables w/ O(1)-lookups, highly customizable logging with full
payload, mature IPv6 support and many many more ...
Futur version will bring failover, with keeping states and other
enterprise level solutions.
--
Best regards, | mlaier at freebsd.org
Max Laier | ICQ #67774661
http://pf4freebsd.love2party.net/ | mlaier at EFnet
More information about the cvs-all
mailing list