Future of pf / firewall in FreeBSD ? - does it have one ?

Darren Pilgrim list_freebsd at bluerosetech.com
Sun Jul 20 04:36:26 UTC 2014

On 7/18/2014 6:51 AM, Franco Fichtner wrote:
>> c) We never got the new syntax from OpenBSD 4.7's pf - at the time a long discussion on the pf-mailing list flamed the new syntax saying it would cause FreeBSD administrators too much headache. Today on the list it seems everyone wants it - so would we rather stay on a dead branch than keep up with the main stream?
> I'd say many people are comfortable with an old state of pf (silent
> majority), but that shouldn't keep us from catching up with newer
> features (and of course bugfixes).

Never mistake silence for consent.

The vast majority of people don't know pf is outdated and broken on 
FreeBSD because they don't know what they're missing and likely aren't 
using IPv6 yet.  The moment you turn on IPv6 and restart a validating 
unbound, you run full-speed into pf's broken behaviour.  Make an 
EDNS0-enabled query for a signed zone and you'll get a fragmented UDP 
packet that will never make it through unless you tell pf to allow all 
fragments unconditionally.  They'll simply think something is wrong with 
unbound, turn off EDNS0 and/or validation, hurt peformance and/or 
security in the process, and never realize their firewall is doing 
literally the worst possible thing it could do.

All because over half a decade ago some folks got all butthurt over a 
config file format change.

More information about the freebsd-current mailing list