Future of pf / firewall in FreeBSD ? - does it have one ?

Paul Kraus paul at kraus-haus.org
Fri Aug 1 14:12:33 UTC 2014

On Aug 1, 2014, at 8:46, Mark Felder <feld at freebsd.org> wrote:

> I personally use pf for many reasons, spamd included. I don't think anyone out there is interested in forking spamd to play ball with ipfw so we would also be alienating these users who can't just change packet filters. Is there even an equivalent to pfsync for ipfw? I didn't think so, but I could be wrong... 
> In the world of firewalls pf has been put on a quite a pedestal. OpenBSD pushed it hard and it marketed it well; people found it both powerful and easy to use which created a cult following and lots of word of mouth advertising. I find it hard to agree with removing pf from FreeBSD because of the existing userbase. If there was an experimental label on it I would find its removal easier to swallow.

I have remained silent on this for two reasons:

1. I am a consumer of FreeBSD. I am a sysadmin, I am NOT a coder and *I* would not want any code that *I* wrote in the kernel of an OS that I was running. I know my limitations. So I could not contribute to the development of pf in FreeBSD

2. Where I use packet filters on a host, and that is not very much, I tend to use ipfilter because in those case my needs are simple. For heavy duty (read: gateway) filtering I use commercial firewalls like the Checkpoint 600 series. So the inclusion or exclusion of pf has no direct effect on me.

Having said all that, the reason I use FreeBSD over other open source OSes right now is that it is, in my opinion, the most “grown up” option. I have never seen Linux as an Enterprise tier OS due to a number of basic design decisions made by Linus and those around him. Illumos is very good, but fairly narrow in both it’s hardware support and feature set. I never took a long hard look at the other BSDs as FreeBSD was recommended by a friend and I liked what I found, ESPECIALLY the documentation in the Handbook.

I have read a lot of arguments on both sides of the pf in FreeBSD debate over the past weeks. Realistically I think what it comes down to is whether there is someone, a person, an individual with the necessary skill set and drive and desire (and that can be motivated by funding) to take ownership of it and run with it. If there is not, then I think pf in FreeBSD dies. No matter how many people want it to continue, no matter if it is best for FreeBSD for it to continue. Without someone to take ownership of it, then even if it continues it will not be top quality, and having something in FreeBSD that is not top quality would be a mistake (IMHO).

Paul Kraus
paul at kraus-haus.org

More information about the freebsd-current mailing list