Future of pf / firewall in FreeBSD ? - does it have one ?

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Jul 21 06:31:31 UTC 2014

On 20/07/2014 23:26, Daniel Feenberg wrote:
> I am not privy to the inner workings of the project, but surely a
> decision of this importance would come to the attention of the
> core team, who are listed at:
>   http://www.freebsd.org/administration.html#t-core

Members of the core team are well aware of the discussions around pf --
possibly not the current thread in -questions at ..., but certainly
discussion on -net at ... and other more technical lists.

However core is not necessarily the body to decide how pf should be
developed in future.  Such decisions are usually made by the developers
with deep domain knowledge and the time and resources to work on the
area.  core would only tend to get involved in case there was a dispute
between developers that could not otherwise be resolved, or if there
were questions of licensing or some problem that would bring the entire
project into disrepute.

In fact a far more relevant body in this case is the FreeBSD Foundation.
 As the primary fundrasing arm of the project they would be the people
to go to when looking to fund development on something like this.

> A port of OpenBSD PF may be quite impractical or undesirable- I have no
> idea. However, if all potential contributions are viewed as criticism to
> be refuted, it will damage the ability of the project to attract
> contributors. Rather than telling a potential contributor that their
> efforts will never be included in the official distribution it would be
> more supportive of the project to say that a port of PF would be welcome
> as a port, but might have difficulty displacing current offering. That
> doesn't promise anything, but encourages involvement, if indeed
> involvement is desired.

Now this -- on the level of how the project encourages or discourages
contributions of development work -- is far more the sort of thing core
takes an interest in.  However the first question will be 'does whatever
proposed change stand up technically?'

From what I've seen in this thread, there is an expressed desire to
resynchronise the syntax used by pf.conf(5) with OpenBSD -- for which
there are valid arguments both for and against.  However the suggestion
that this should be done by re-importing the entire pf code base from
OpenBSD has been rebuffed for good reason.  Whether it is feasible to
update just the pf user interface -- maybe even allow 'old' and 'new'
syntax depending on command line options -- is a far more interesting

Also, do not confuse the responses of one or a small group of FreeBSD
developers for the general policy of the project.  FreeBSD developers
tend to be a self-selected highly technical bunch and not always
interested in or practised at dealing with the general public.
Stringent criticism is actually a good sign: it means that what is being
proposed looks to have potential, but definitely needs work.



Dr Matthew J Seaman MA, D.Phil.

PGP: http://www.infracaninophile.co.uk/pgpkey
JID: matthew at infracaninophile.co.uk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1036 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140721/d32b4b34/attachment.sig>

More information about the freebsd-questions mailing list