RE: Future of pf / firewall in FreeBSD ? - does it have one ?

From: bycn82 <bycn82_at_gmail.com> Date: Mon, 21 Jul 2014 21:57:21 +0800 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:51 UTC

There is no doubt that PF is a really good firewall, But we should noticed that there is an ipfw which is originally from FreeBSD while PF is from OpenBSD.

If there is a requirement that PF can meet but ipfw cannot, then I think it is better to improve the ipfw. But if you just like the PF style, then I think choose OpenBSD is the better solution. Actually OpenBSD is another really good operating system. 

Like myself, I like CentOS and ipfw, so no choice :)

> -----Original Message-----
> From: owner-freebsd-current_at_freebsd.org [mailto:owner-freebsd-
> current_at_freebsd.org] On Behalf Of Andreas Nilsson
> Sent: 21 July, 2014 19:46
> To: sthaug_at_nethelp.no
> Cc: Maxim Khitrov; Current FreeBSD; Mailinglists FreeBSD
> Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ?
> 
> On Mon, Jul 21, 2014 at 8:56 AM, <sthaug_at_nethelp.no> wrote:
> 
> > > > > Also, the openbsd stack has some essential features missing in
> > freebsd,
> > > > > like mpls and md5 auth for bgp sessions.
> > > >
> > > > I use MD5 auth for BGP sessions every day (and have been doing so
> > > > for several releases). One could definitely wish for better
> > > > integration - having to specify MD5 key both in /etc/ipsec.conf
> > > > and in the Quagga bgpd config is not nice. But it works.
> > > >
> > > As far as I know you can only send out correctly authed stuff but
> > > not validate incoming. Has that changed?
> >
> > Have a look at tcp_signature_verify(), called from tcp_input.c. Added
> > in r221023, see
> >
> > http://svnweb.freebsd.org/base/head/sys/netinet/tcp_input.c?view=log
> >
> > Steinar Haug, Nethelp consulting, sthaug_at_nethelp.no
> >
> > ----------------------------------------------------------------------
> >
> > Revision 221023 - (view) (download) (annotate) - [select for diffs]
> > Modified Mon Apr 25 17:13:40 2011 UTC (3 years, 2 months ago) by
> > attilio File length: 106717 byte(s) Diff to previous 220560 Add the
> > possibility to verify MD5 hash of incoming TCP packets.
> > As long as this is a costy function, even when compiled in (along with
> > the option TCP_SIGNATURE), it can be disabled via the
> > net.inet.tcp.signature_verify_input sysctl.
> >
> > Sponsored by:                       Sandvine Incorporated
> > Reviewed by:                        emaste, bz
> > MFC after:                          2 weeks
> >
> > I stand corrected. Excellent news ( for me, that is) :)
> 
> Best regards
> Andeas
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-
> unsubscribe_at_freebsd.org"