Future of pf / firewall in FreeBSD ? - does it have one ?
rkoberman at gmail.com
Sat Jul 19 23:54:52 UTC 2014
On Sat, Jul 19, 2014 at 6:50 AM, Mark Felder <feld at freebsd.org> wrote:
> On Jul 19, 2014, at 3:35, Andreas Nilsson <andrnils at gmail.com> wrote:
> > On Sat, Jul 19, 2014 at 4:40 AM, Darren Pilgrim <
> > list_freebsd at bluerosetech.com> wrote:
> >> On 7/18/2014 4:06 AM, Gleb Smirnoff wrote:
> >>> K> b) We are a major release away from OpenBSD (5.6 coming soon) - is
> >>> K> following OpenBSD's pf the past? - should it be?
> >>> Following OpenBSD on features would be cool, but no bulk imports
> >>> would be made again. Bulk imports produce bad quality of port,
> >>> and also pf in OpenBSD has no multi thread support.
> >> I would much rather have a slower pf that actually supports modern
> >> networking than a faster one I can't use due to showstopper flaws and
> >> missing features.
> > So would I. Not that we use pf, but anyway.
> >> There is currently no viable firewall module for FreeBSD if you want to
> >> things like route IPv6.
> > Isn't that possible with ipfw?
> > Perhaps the pf guys in OpenBSD could be convinced to start openpf and
> > porting layer as in openzfs.
> I do not know ipfw IPv6 limitations, but the Wikipedia article says:
> * IPv6 support (with several limitations)
> Choice is nice, but I would like to see the project promote one firewall
> to users. My coworkers long ago jumped ship from ipfw to pf and I know
> regret that decision due to the IPv6 bugs. At this point it's too hard to
> migrate all the servers off of pf.
> freebsd-current at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
I believe that this is obsolete, at least with 10.
It certainly used to be the case in older versions. I suspect the improved
ipfw is now in 9.3 and perhaps even 8.4, but I can't swear to it. I do know
that the 10.0 version broke several of my firewall rules which would have
made back-porting to older versions unacceptable but I believe that this is
no longer the case. Some IPv6 specific keywords had been eliminated, but I
think that they are all back in place, now. No longer required, but there
The last feature I am aware of that lacked ipv6 support was tables. If any
more exist, they are subtle and I have not hit hem to this point.
R. Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman at gmail.com
More information about the freebsd-questions