PF bugs

[Stan Gammons]

On Fri, 2013-06-21 at 23:24 -0400, Maxim Khitrov wrote:
> For what it's worth, I've been gradually migrating the few firewalls
> that I maintain to OpenBSD. FreeBSD pf is fine, and it's what I use
> for protecting individual servers, but I find that the new syntax,
> which was introduced after OpenBSD 4.5, produces rulesets that are
> more compact and easier to maintain when it comes to routing traffic
> between networks. The new priority queuing (set prio) is much simpler
> than ALTQ (and should perform better, though I haven't tested this).
> I'm also looking forward to the work that's being done to free HFSC
> from ALTQ and make it understandable and usable by mere mortals.

I too like OpenBSD and wish PF was in sync on both OS.  

> PF is still my choice on FreeBSD and I've never had any issues with
> the tools (pfctl and pftop primarily), but OpenBSD's version is more
> actively maintained and improved. There have been plenty of
> discussions about porting a more recent version of pf to FreeBSD
> (search the archives) and it doesn't look like that will happen any
> time soon. If you'd like to understand the differences between the
> two, below are a few presentations on the topic:

Thanks for the links.  I'm looking for a tool that does reporting more
along the lines of what Lire (logreport) does for syslog, postfix, snort
and so on. I've tinkered with hatchet some on OpenBSD and it's Ok, but
isn't quite what I was looking for.  The tcpdump seems to be different
on FreeBSD too as I've been unable to get hatchet to work on FreeBSD. 


Stan