Future of pf / firewall in FreeBSD ? - does it have one ?
Lukasz
lukasz at chroot.pl
Thu Jul 17 19:19:54 UTC 2014
+1
On 07/17/2014 01:15 AM, Kristian K. Nielsen wrote:
> Hi all,
>
> I have been encouraged by people on the pf-mailinglist to move this
> discussion to the current mailinglist since this may be an area in the
> OS where FreeBSD need to focus on next.
>
> First of all I am a happy user of the pf-firewall module and have been
> for years and think it is really great - the trouble is that lately
> (since 2008) its getting a bit dusty.
>
> The last few years it seem that pf in FreeBSD got a long way away from
> pf in OpenBSD where it originated
> - also looking at the ipfilter (ipf) and ipfw - they both to me do not
> seem to be as complete as pf.
>
> So I am curious if any on the mailing could elaborate about what the
> future of pf in FreeBSD is or should be.
>
> a) First of all - are any actively developing pf in FreeBSD?
>
> b) We are a major release away from OpenBSD (5.6 coming soon) - is
> following OpenBSD's pf the past? - should it be?
>
> c) We never got the new syntax from OpenBSD 4.7's pf - at the time a
> long discussion on the pf-mailing list flamed the new syntax saying it
> would cause FreeBSD administrators too much headache. Today on the list
> it seems everyone wants it - so would we rather stay on a dead branch
> than keep up with the main stream?
>
> d) Anyone working on bringing FreeBSD up to pf 5.6? - seem dead on the
> pf-list.
>
> e) OpenBSD is retiring ALTQ entirely - any thoughts on that?
> http://undeadly.org/cgi?action=article&sid=20140419151959
>
> f) IPv6 support?- it seem to be more and more challenged in the current
> version of pf in FreeBSD and I am (as well as others) introducing more
> and more IPv6 in networks.
> E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933,
> which is the bug on not handling IPv6 fragments which have been open
> since 2008 and where the workaround is necessity to leave an completely
> open hole in your firewall ruleset to allow all fragments. According to
> comment in the bug, this have been long gone in OpenBSD.
>
> g) Performance, can we live with pf-performance that compared to OpenBSD
> is slower by a factor of 3 or 4, even after the multi-core support in
> FreeBSD 10?
> (Henning Brauer noted that in this talk at
> http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (at 33:18 and
> 36:53)) - credit/Jim Thompson
>
> h) Bringing back patches from pfSense?
>
> And my most important question:
>
> * Should this or could this be a project for the foundation to either do
> a summer project or funded project to bring this part of the OS up to date?
>
>
> Hope to hear from you all,
>
> Best regards,
>
> Kristian Kræmmer Nielsen,
> Odense, Denmark
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list