PF from OpenBSD 4.7
Maxim Khitrov
max at mxcrypt.com
Sun Feb 20 22:40:20 UTC 2011
On Sun, Feb 20, 2011 at 4:16 PM, jhell <jhell at dataix.net> wrote:
>
> On Sun, 20 Feb 2011 13:27, eirnym@ wrote:
>>
>> On 20 February 2011 06:50, jhell <jhell at dataix.net> wrote:
>>>
>>> On Fri, 18 Feb 2011 03:26, eirnym@ wrote:
>>>>
>>>> I heard while ago about packet filter update coming, but there're no
>>>> news about. Which status of this update?
>>>>
>>>
>>> This was for OpenBSD pf45 not pf47. The patchset should be somewhere in
>>> the
>>> archives for HEAD.
>>>
>>
>> Differences between pf45 and pf47 are more smaller than between pf45
>> and current pf.
>>
>> I've found them, but there no status about. Should I ask same question
>> in freebsd-current@ mail list?
>>
>
> Difference being that after pf45 there was a syntax change that is nearly
> incompatible with the current pf41-45 syntax so AFAIR based on that pf45 was
> voted as the most likely to be merged into HEAD.
>
> There is an email from Theo @openbsd.org about the syntactic changes that
> have made people a little jumpy at adopting pf > 45 but eventually it will
> work its way in.
>
> What advantages to using pf47 over using pf45 have you found in ``real use''
> ? and how realistic are those changes for the masses ?
The firewall (FreeBSD 7.3) that I manage at work currently contains 36
nat/rdr rules and 39 filter rules. It's responsible for passing
traffic between 4 different networks. After reading the OpenBSD pf
FAQ, the biggest advantage that I see of pf47+ is the ability to
combine related filter/nat/rdr rules, making the entire ruleset easier
to maintain.
Personally, I would love to see the latest version of pf make it into
FreeBSD 9 or even one of the 8.x releases. Compatibility with existing
syntax is not as important to me as the ability to simplify my set of
rules.
- Max
More information about the freebsd-pf
mailing list