[pf4freebsd] HTML-ify anyone?

Wed Sep 15 21:10:20 PDT 2004

Hi,

as you might know, the pf-page is (a bit) out-of-date/undermaintained. This is 
due to my lack of time and HTML-skillz. I'd be more than happy if somebody 
would be so nice to volunteer to HTML-ify/proofread/enhance the attached 
plain-text and sent me the resulting HTML-pages. Improvements and comments 
very welcome also!

General notes: It's nothing fancy, agreed. But it's better than what is there 
now. It has some raw edges and might be outdated as well (I wrote this while 
on a train a couple of weeks ago), but I was kinda hoping for you to jump in 
and provide an "intelligent transformation" i.e. improving my scribbling 
while keeping the idea. I don't object a complete rewrite either.

On a sidenote to this I'd also like to remind you that there is no information 
or advertisement of pf in the handbook/non-manpage-documentation, yet. If 
somebody is interested in addressing this short coming, please get in touch 
with me! Fundamental work (rewrite of the "Firewall section" in the handbook) 
has been started, but with documentation - you can never have enough!

Looking forward to your feedback. Thanks in advance!

-- 
/"\  Best regards,			| mlaier at freebsd.org
\ /  Max Laier				| ICQ #67774661
 X   http://pf4freebsd.love2party.net/	| mlaier at EFnet
/ \  ASCII Ribbon Campaign		| Against HTML Mail and News
-------------- next part --------------
Names:
<pyun> = Pyun YongHyeon <yongari at kt-is.co.kr>
<mark> = Mark Johnston <mark at xl0.org>
<daniel> = Daniel Hartmeier <dhartmei at freebsd.org>
<kjc> = Kenjiro Cho <kjc at freebsd.org>
<max> = Max Laier <mlaier at freebsd.org>

Site map:

INDEX
LINKS
CHANGES
TODO/HELP
ALTQ
MAILINGLIST

INDEX:
This is the homepage of the FreeBSD packet filter (pf) ported by
  <pyun>
  <max>
derived from OpenBSD.
----
Status:
The port is part of the FreeBSD base system as of March, 8th 2004 and in
sync with OpenBSD 3.5-STABLE.
----
History:
This port was started by <pyun> with the following post on deadly:
<http://undeadly.org/cgi?action=article&sid=20030325141427> Since it
generated a lot of interest we started this project "pf4freebsd" and created
a FreeBSD port <http://www.freshports.org/security/pf> Many people provided
help along the way, most noteable <daniel> - the original author of pf at
OpenBSD. Shortly after FreeBSD 5.2.1 was released, we were invited to merge
our port into the FreeBSD base system, were it is maintained now. Currently
<daniel> and <max> take care of it and will try to keep it in sync with
OpenBSD-STABLE. We will also try to merge other relaiability fixes from
OpenBSD-CURRENT, which do not make -STABLE in OpenBSD due to pocily. In
addition we will try to provide FreeBSD specific modifications e.g. per-jail
rules. The plan is to follow OpenBSD's lead as we see this project as a port
not a forge, but still to allow FreeBSD users and developers to use pf's
power in the ways FreeBSD demands/allows.

If you have general ideas to improve pf or for additional features, we
encourage you to bring them to OpenBSD first. It's okay however to provide
us with your FreeBSD patches.
----
Resources:
- WIP patches waiting for testers will be on
  <http://people.freebsd.org/~mlaier/>
- The latest stable version of the port is available with FreeBSD-current
- Port/FreeBSD-specific questions and discussion should go to <MAILINGLIST>
- pf questions in general and discussion should go to <pf at benzedrine.cx>
- For examples, tutorials and further reading see: <LINKS>

LINKS: <TBD> || see old page

CHANGES:
The old (pre-import) Changelist can be found here: <link>
----
Since the import was done, changes are available via FreeBSD's cvsweb
interface: <http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/>

<mark> does a good job with writting summeries found at:
<http://excel.xl0.org/FreeBSD/>

For security relevant changes see the OpenBSD-STABLE errata page:
<http://www.openbsd.org/errata35.html>
We usually manage to sync changes from there with a delta <1 day and the
OpenBSD security officers provide us with a pre-release HEADSUP for critical
patches.

Anouncements of critical updates and imports of a new OpenBSD version will
be posted to <MAILINGLIST>

TODO/HELP:
If you run into anything unexcepted, please take the time to tell us about
it. Provide as much detail as possible, but even an uncomplete report is
better than no report at all! Submit report to one of MAILINGLIST, <max> or
send-pr(1) it. If you use the latter CC <max> so that I can take care.

If you are interested in testing the latest pf-features on your FreeBSD-
current box, you should take a look at http://people.freebsd.org/~mlaier/
from time to time and subscribe to the <MAILINGLIST> were we will announce
new patches and updates to older etc.

For the patches on <~mlaier> we are interested in sucess stories as well. If
you were able to boot/run/use it on your setup, please file a short report
about your test-setup to either the <MAILINGLIST> or <max> directly. If you
have problems with the patches, you can ask on the <MAILINGLIST> or mail to
<max>. Please do *not* use send-pr(1) for this.

ALTQ:
Alternate queuing (ALTQ) is a framework that allows to shape network
traffic.

ALTQ was imported to FreeBSD-current as of June, 13th 2004. 

It was originally developed as part of the KAME project by <kjc>. OpenBSD
picked it up and invented a nice way to integrate certain parts of ALTQ with
pf, making it a lot more easy to manage. These changes were synced back to
the KAME project and are now the de-facto standard for everyday use of ALTQ
(know as "pf_mode"). The original ALTQ3_COMPAT code and /dev/altq have still
some relevance for scientific disciplines, though.

pf becomes an even more powerful tool now that it has ALTQ support. On
<~mlaier> there is are a couple of driver modifications that need testing.
If you want ALTQ on you card but do not find a patchset there, please write
an email to <max>. ALTQ in FreeBSD supports "pf mode" only, for a couple of
reasons:

 1) FreeBSD 5 uses fine-grained locking and /dev/altq is hard to lock.
 2) Same applies for the standalone classifier.
 3) We see no real benefit in the ALTQ3 approach.

Other firewalls (such as ipfw and ipf) could be used to classify for this
version of ALTQ as well. The API is well-defined and it should be trivial to
come up with a patch for ipfw esp. since it already does something alike for
dummynet.

By the way, dummynet provides a completely different way of traffic shaping,
which we consider inferior to the ALTQ aproach for some very common
applications. It has its strenght as well, where ALTQ lacks functionality.
This is a fundamental difference in design which is why we believe that
dummynet just isn't enough for all applications. The fact that dummynet is
very closely coupled with ipfw makes it hard to utilize from pf and further
creates the want for ALTQ in FreeBSD.

MAILINGLIST:
Use the old pages || create pf-freebsd at freebsd.org and link to mailman???

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20040916/b4148feb/attachment.bin