From owner-freebsd-pf@FreeBSD.ORG  Sun Feb 20 22:40:20 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CB0D010656D9
	for <freebsd-pf@freebsd.org>; Sun, 20 Feb 2011 22:40:20 +0000 (UTC)
	(envelope-from max@mxcrypt.com)
Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com
	[209.85.220.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 889CC8FC13
	for <freebsd-pf@freebsd.org>; Sun, 20 Feb 2011 22:40:20 +0000 (UTC)
Received: by vxa40 with SMTP id 40so3114258vxa.13
	for <freebsd-pf@freebsd.org>; Sun, 20 Feb 2011 14:40:19 -0800 (PST)
Received: by 10.52.156.233 with SMTP id wh9mr853682vdb.235.1298240203129; Sun,
	20 Feb 2011 14:16:43 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.42.67 with HTTP; Sun, 20 Feb 2011 14:16:12 -0800 (PST)
In-Reply-To: <alpine.BSF.2.00.1102201611490.13814@qvfongpu.qngnvk.ybpny>
References: <AANLkTi=P_KikS_GHn1h265ScL+cbwN1q4VitaMcWVuWx@mail.gmail.com>
	<alpine.BSF.2.00.1102192242110.4222@qvfongpu.qngnvk.ybpny>
	<AANLkTinqockMyjNjxesATm1yFNdRNBVcUaG=Z2a0PQw5@mail.gmail.com>
	<alpine.BSF.2.00.1102201611490.13814@qvfongpu.qngnvk.ybpny>
From: Maxim Khitrov <max@mxcrypt.com>
Date: Sun, 20 Feb 2011 17:16:12 -0500
Message-ID: <AANLkTimeob2Oa6CRzuB8ssTF5mDXXndn00jUcpRtDHK4@mail.gmail.com>
To: jhell <jhell@dataix.net>
Content-Type: text/plain; charset=UTF-8
Cc: freebsd-pf@freebsd.org
Subject: Re: PF from OpenBSD 4.7
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Feb 2011 22:40:20 -0000

On Sun, Feb 20, 2011 at 4:16 PM, jhell <jhell@dataix.net> wrote:
>
> On Sun, 20 Feb 2011 13:27, eirnym@ wrote:
>>
>> On 20 February 2011 06:50, jhell <jhell@dataix.net> wrote:
>>>
>>> On Fri, 18 Feb 2011 03:26, eirnym@ wrote:
>>>>
>>>> I heard while ago about packet filter update coming, but there're no
>>>> news about. Which status of this update?
>>>>
>>>
>>> This was for OpenBSD pf45 not pf47. The patchset should be somewhere in
>>> the
>>> archives for HEAD.
>>>
>>
>> Differences between pf45 and pf47 are more smaller than between pf45
>> and current pf.
>>
>> I've found them, but there no status about. Should I ask same question
>> in freebsd-current@ mail list?
>>
>
> Difference being that after pf45 there was a syntax change that is nearly
> incompatible with the current pf41-45 syntax so AFAIR based on that pf45 was
> voted as the most likely to be merged into HEAD.
>
> There is an email from Theo @openbsd.org about the syntactic changes that
> have made people a little jumpy at adopting pf > 45 but eventually it will
> work its way in.
>
> What advantages to using pf47 over using pf45 have you found in ``real use''
> ? and how realistic are those changes for the masses ?

The firewall (FreeBSD 7.3) that I manage at work currently contains 36
nat/rdr rules and 39 filter rules. It's responsible for passing
traffic between 4 different networks. After reading the OpenBSD pf
FAQ, the biggest advantage that I see of pf47+ is the ability to
combine related filter/nat/rdr rules, making the entire ruleset easier
to maintain.

Personally, I would love to see the latest version of pf make it into
FreeBSD 9 or even one of the 8.x releases. Compatibility with existing
syntax is not as important to me as the ability to simplify my set of
rules.

- Max