Upgrading FreeBSD to use the NEW pf syntax. (Copied from freebsd-pf)

Gary Palmer gpalmer at freebsd.org
Tue Nov 20 12:13:40 UTC 2012

On Tue, Nov 20, 2012 at 11:43:04AM +0100, Olivier Smedts wrote:
> 2012/11/20 Paul Webster <paul.g.webster at googlemail.com>:
> > I am aware this is a much discussed subject since the upgrade of PF, I
> > believe the final decision was that to many users are used to the old
> > style pf and an upgrade to the new syntax would cause to much confusion.
> But a change like this is expected in a new major branch, ie.
> 10-CURRENT. Not so in -STABLE branches of course. I don't see the
> problem here.

So you don't expect people to upgrade boxes in place?

I also guess you've never been 5,000 miles away from a box and typo'd something
in the firewall and locked yourself out.  The think how tons of FreeBSD
users would feel if the default pf syntax was changed to be incompatible and
they find themselves in a similar situation after an upgrade.  Defaulting to
open, while it could solve the problem (although I would suspect there could
be edge cases where it doesn't), could be bad for other reasons.

The other question that I haven't seen answered (or maybe even asked), but
is relevant: what do we gain by going to a later version of pf?  I.e. as an
administrator, what benefit do I get by having to expend effort converting
my filter rules?


