Date: Sun, 20 Feb 2011 17:16:12 -0500 From: Maxim Khitrov <max@mxcrypt.com> To: jhell <jhell@dataix.net> Cc: freebsd-pf@freebsd.org Subject: Re: PF from OpenBSD 4.7 Message-ID: <AANLkTimeob2Oa6CRzuB8ssTF5mDXXndn00jUcpRtDHK4@mail.gmail.com> In-Reply-To: <alpine.BSF.2.00.1102201611490.13814@qvfongpu.qngnvk.ybpny> References: <AANLkTi=P_KikS_GHn1h265ScL%2BcbwN1q4VitaMcWVuWx@mail.gmail.com> <alpine.BSF.2.00.1102192242110.4222@qvfongpu.qngnvk.ybpny> <AANLkTinqockMyjNjxesATm1yFNdRNBVcUaG=Z2a0PQw5@mail.gmail.com> <alpine.BSF.2.00.1102201611490.13814@qvfongpu.qngnvk.ybpny>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 20, 2011 at 4:16 PM, jhell <jhell@dataix.net> wrote: > > On Sun, 20 Feb 2011 13:27, eirnym@ wrote: >> >> On 20 February 2011 06:50, jhell <jhell@dataix.net> wrote: >>> >>> On Fri, 18 Feb 2011 03:26, eirnym@ wrote: >>>> >>>> I heard while ago about packet filter update coming, but there're no >>>> news about. Which status of this update? >>>> >>> >>> This was for OpenBSD pf45 not pf47. The patchset should be somewhere in >>> the >>> archives for HEAD. >>> >> >> Differences between pf45 and pf47 are more smaller than between pf45 >> and current pf. >> >> I've found them, but there no status about. Should I ask same question >> in freebsd-current@ mail list? >> > > Difference being that after pf45 there was a syntax change that is nearly > incompatible with the current pf41-45 syntax so AFAIR based on that pf45 was > voted as the most likely to be merged into HEAD. > > There is an email from Theo @openbsd.org about the syntactic changes that > have made people a little jumpy at adopting pf > 45 but eventually it will > work its way in. > > What advantages to using pf47 over using pf45 have you found in ``real use'' > ? and how realistic are those changes for the masses ? The firewall (FreeBSD 7.3) that I manage at work currently contains 36 nat/rdr rules and 39 filter rules. It's responsible for passing traffic between 4 different networks. After reading the OpenBSD pf FAQ, the biggest advantage that I see of pf47+ is the ability to combine related filter/nat/rdr rules, making the entire ruleset easier to maintain. Personally, I would love to see the latest version of pf make it into FreeBSD 9 or even one of the 8.x releases. Compatibility with existing syntax is not as important to me as the ability to simplify my set of rules. - Max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimeob2Oa6CRzuB8ssTF5mDXXndn00jUcpRtDHK4>