Upgrading FreeBSD to use the NEW pf syntax.

Mark Martinec Mark.Martinec+freebsd at ijs.si
Tue Nov 20 14:43:27 UTC 2012

Paul Webster wrote:
> I am aware this is a much discussed subject since the upgrade of PF,
> I believe the final decision was that too many users are used to the old
> style pf and an upgrade to the new syntax would cause too much confusion.

I don't buy that. Think of a confusion in a year of two when
OpenBSD PF rules and the PF documentation won't match the
legacy syntax in FreeBSD's PF.

Maxim Khitrov wrote:
> > 1) To move to the newer pf and just add to releases notes what had
> > happened,
> My vote is for option 1, but I'll also be happy with option 2 if it
> costs little to maintain both versions. I'm pretty much for anything
> that brings pf in sync (or close to it) with OpenBSD.

My sentiments exactly.

Olivier Smedts wrote:
> But a change like this is expected in a new major branch, ie.
> 10-CURRENT. Not so in -STABLE branches of course. I don't see the
> problem here.


Gary Palmer wrote:
> So you don't expect people to upgrade boxes in place?
> I also guess you've never been 5,000 miles away from a box and typo'd
> something in the firewall and locked yourself out.  The think how tons
> of FreeBSD users would feel if the default pf syntax was changed to be
> incompatible and they find themselves in a similar situation after an
> upgrade.

The risk of locking oneself out even on minor fiddling with fw rules
on a remote machine, let alone upgrading its OS, is something that
every administrator is already aware if. Working without a safety net
is unwise for a hobbyist, and unacceptable for a professional.
I don't think the above argument holds water.

Olivier Smedts wrote:
> Another question : how did OpenBSD managed this change ?

This is from  http://www.openbsd.org/faq/upgrade46.html
| If you reboot your system without a usable pf.conf file in place, your pf
| rules will not be loaded, and you will end up using the default rule set,
| which will block all traffic EXCEPT for ssh over the standard port 22.
| This means that if you do not fix your pf.conf rules before rebooting,
| you may be greeted by a box that does not even respond to pings.
| Do not panic, as you can still ssh to the box, assuming you have sshd(8)
| listening on the usual port.

Gary Palmer wrote:
> The other question that I haven't seen answered (or maybe even asked), but
> is relevant: what do we gain by going to a later version of pf?  I.e. as an
> administrator, what benefit do I get by having to expend effort converting
> my filter rules?

For one thing, I'm desperately awaiting NAT64 support (the 'af-to'
translation rule in newer pf (5.1?), committed on 2011-10).

Other: packet normalization (scrub) has been reworked and simplified,
and is now a rulset option. Considering that scrub is currently broken
(9.1, see list of PF bugs in FreeBSD), along with several other
bugs that need fixing, it seems the (scarce) manpower would better
be spent in moving on, than keeping the already leaky (buggy) pf

I think the compatibility issue should not be used as an excuse
for not moving on. You can't make an omelette without breaking eggs.


More information about the freebsd-current mailing list