Alternative to pf?

Mario Lobo lobo at bsd.com.br
Thu Dec 18 01:57:00 UTC 2014 

On Thu, 18 Dec 2014 00:43:59 +0100
Daniel Engberg <daniel.engberg.lists at pyret.net> wrote:

> Hi,
> 
> During the year there has been several discussions regarding the
> state of pf in FreeBSD. In most cases it seems to boil down to that
> it's too hard/time-consuming to bring upstream patches from OpenBSD
> to FreeBSD. As it's been mentioned Apple seems to update pf somewhat
> (copyright is changed to 2013 at least) and file size differs between
> OS X releases but I wasn't able to find any commit logs.
> 
> That said, NetBSD have something similar to pf in syntax called npf 
> which seems actively maintained and the author seems open to the idea
> of porting it to FreeBSD.
> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24
> However I'm not certain that it surpasses our current pf in terms of 
> functionality in all cases (apart from the firewalling ALTQ comes to 
> mind etc).
> Perhaps this might be worth looking into and in the end drop pf due
> to the reasons above?
> 
> That said, don't forget all the work that has gone into getting pf
> where it is today.
> While I'm at it, does anyone else than me use ALTQ? While it's not 
> multithreaded I find a very good "tool" and it does shaping really
> well.
> 
> Best regards,
> Daniel
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"


I think that just pf and ipfw would be more than "enough" for FBSD. I
have used both but I'm more comfortable with pf's configuration than
with ipfw. I have even tested ipfw filtering together with pf altq. I
totally rely on pf's ALTQ at production simply because it works
perfectly, no matter how complex the setup. Been using it for years now.

From what I have read, there are quite a few changes in openbsd pf,
specially as far syntax is concerned. I'm just a user so I can only
imagine the hard work involved in porting it but running the risk of
making a lame comment, I would be completely satisfied if only 2 things
could be implemented: SMP and fix the ALTQ limitation "bug".

For everything else, I wouldn't change a thing.
-- 
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)
 
"UNIX was not designed to stop you from doing stupid things, 
because that would also stop you from doing clever things."

More information about the freebsd-pf mailing list