Future of pf / firewall in FreeBSD ? - does it have one ?
Kristian K. Nielsen
freebsd at com.jkkn.dk
Wed Jul 16 23:15:21 UTC 2014
I have been encouraged by people on the pf-mailinglist to move this
discussion to the current mailinglist since this may be an area in the
OS where FreeBSD need to focus on next.
First of all I am a happy user of the pf-firewall module and have been
for years and think it is really great - the trouble is that lately
(since 2008) its getting a bit dusty.
The last few years it seem that pf in FreeBSD got a long way away from
pf in OpenBSD where it originated
- also looking at the ipfilter (ipf) and ipfw - they both to me do not
seem to be as complete as pf.
So I am curious if any on the mailing could elaborate about what the
future of pf in FreeBSD is or should be.
a) First of all - are any actively developing pf in FreeBSD?
b) We are a major release away from OpenBSD (5.6 coming soon) - is
following OpenBSD's pf the past? - should it be?
c) We never got the new syntax from OpenBSD 4.7's pf - at the time a
long discussion on the pf-mailing list flamed the new syntax saying it
would cause FreeBSD administrators too much headache. Today on the list
it seems everyone wants it - so would we rather stay on a dead branch
than keep up with the main stream?
d) Anyone working on bringing FreeBSD up to pf 5.6? - seem dead on the
e) OpenBSD is retiring ALTQ entirely - any thoughts on that?
f) IPv6 support?- it seem to be more and more challenged in the current
version of pf in FreeBSD and I am (as well as others) introducing more
and more IPv6 in networks.
E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933,
which is the bug on not handling IPv6 fragments which have been open
since 2008 and where the workaround is necessity to leave an completely
open hole in your firewall ruleset to allow all fragments. According to
comment in the bug, this have been long gone in OpenBSD.
g) Performance, can we live with pf-performance that compared to OpenBSD
is slower by a factor of 3 or 4, even after the multi-core support in
(Henning Brauer noted that in this talk at
http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (at 33:18 and
36:53)) - credit/Jim Thompson
h) Bringing back patches from pfSense?
And my most important question:
* Should this or could this be a project for the foundation to either do
a summer project or funded project to bring this part of the OS up to date?
Hope to hear from you all,
Kristian Kræmmer Nielsen,
More information about the freebsd-current