Hi all, I have been encouraged by people on the pf-mailinglist to move this discussion to the current mailinglist since this may be an area in the OS where FreeBSD need to focus on next. First of all I am a happy user of the pf-firewall module and have been for years and think it is really great - the trouble is that lately (since 2008) its getting a bit dusty. The last few years it seem that pf in FreeBSD got a long way away from pf in OpenBSD where it originated - also looking at the ipfilter (ipf) and ipfw - they both to me do not seem to be as complete as pf. So I am curious if any on the mailing could elaborate about what the future of pf in FreeBSD is or should be. a) First of all - are any actively developing pf in FreeBSD? b) We are a major release away from OpenBSD (5.6 coming soon) - is following OpenBSD's pf the past? - should it be? c) We never got the new syntax from OpenBSD 4.7's pf - at the time a long discussion on the pf-mailing list flamed the new syntax saying it would cause FreeBSD administrators too much headache. Today on the list it seems everyone wants it - so would we rather stay on a dead branch than keep up with the main stream? d) Anyone working on bringing FreeBSD up to pf 5.6? - seem dead on the pf-list. e) OpenBSD is retiring ALTQ entirely - any thoughts on that? http://undeadly.org/cgi?action=article&sid=20140419151959 f) IPv6 support?- it seem to be more and more challenged in the current version of pf in FreeBSD and I am (as well as others) introducing more and more IPv6 in networks. E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, which is the bug on not handling IPv6 fragments which have been open since 2008 and where the workaround is necessity to leave an completely open hole in your firewall ruleset to allow all fragments. According to comment in the bug, this have been long gone in OpenBSD. g) Performance, can we live with pf-performance that compared to OpenBSD is slower by a factor of 3 or 4, even after the multi-core support in FreeBSD 10? (Henning Brauer noted that in this talk at http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (at 33:18 and 36:53)) - credit/Jim Thompson h) Bringing back patches from pfSense? And my most important question: * Should this or could this be a project for the foundation to either do a summer project or funded project to bring this part of the OS up to date? Hope to hear from you all, Best regards, Kristian Krĉmmer Nielsen, Odense, DenmarkReceived on Wed Jul 16 2014 - 21:15:21 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:50 UTC