From owner-freebsd-pf@FreeBSD.ORG Tue Mar 11 11:53:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92C401065670 for ; Tue, 11 Mar 2008 11:53:58 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from c-0500.emailmediator.com (c-0500.emailmediator.com [64.85.162.118]) by mx1.freebsd.org (Postfix) with ESMTP id 530918FC1E for ; Tue, 11 Mar 2008 11:53:58 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-123-170-155.dllstx.dsl-w.verizon.net ([71.123.170.155] helo=reedmedia.net) by c-0500.emailmediator.com with esmtpa (Exim 4.67) (envelope-from ) id 1JZ2RO-0005YU-It; Tue, 11 Mar 2008 07:14:43 -0400 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 13224-1205234091; Tue, 11 Mar 2008 06:14:52 -0500 Date: Tue, 11 Mar 2008 06:14:51 -0500 (CDT) From: "Jeremy C. Reed" To: Igor Zinovik In-Reply-To: <20080311090953.GA1764@zinovik.kspu.karelia.ru> Message-ID: References: <20080311090953.GA1764@zinovik.kspu.karelia.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: PF perfomance in freebsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2008 11:53:58 -0000 On Tue, 11 Mar 2008, Igor Zinovik wrote: > I decided to switch from ipf to pf at work. So i try to explain to > coadmin why pf is better than ipf. My main arguments for switching from > ipf are that pf is still maintained and feature rich. Main disadvantage > of ipf is that it is hard to maintain configuration file (since it does > not support macros we created shell script to obtain macro support). These arguments are not true. IPF is maintained. FreeBSD's official handbook says "IPFILTER is actively being supported and maintained, with updated versions being released regularly." The FAQ was last updated in 07/05/07 (July 2007 I assume). It looks the latest release of IP Filter (4.1.28) was released on Oct. 17, 2007. IPF is feature rich. Some examples: tuning during run-time; save state over reboots; active and testing filter which can be swapped; can generate C code for filter rules hard-coded in custom kernel; flush specific TCP states (at run-time); flush idle states that are a certain age (at run-time); provides tools to generate simple ruleset and testing of rulesets without enabling on real firewall (and using various packet input formats); able to call kernel functions per a rule; authentication (such as password) for rules; lookup tables; packet per second matching; few built in proxies; some load balancing; checksum verifications; and more. IPF does support macros. It has always supported nested variable substitution. (Sadly this is not documented.) Jeremy C. Reed p.s. I primarily use PF because of its great documentation -- in fact, I published an edited, indexed, cross-referenced, and improved version of some PF docs in book format.