Date: Mon, 21 Feb 2011 09:10:24 +0100 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: Maxim Khitrov <max@mxcrypt.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF from OpenBSD 4.7 Message-ID: <AANLkTikobbyUyVTuk7isZsSpDvq3Z1GTMYrs4cgQWi9d@mail.gmail.com> In-Reply-To: <AANLkTimeob2Oa6CRzuB8ssTF5mDXXndn00jUcpRtDHK4@mail.gmail.com> References: <AANLkTi=P_KikS_GHn1h265ScL%2BcbwN1q4VitaMcWVuWx@mail.gmail.com> <alpine.BSF.2.00.1102192242110.4222@qvfongpu.qngnvk.ybpny> <AANLkTinqockMyjNjxesATm1yFNdRNBVcUaG=Z2a0PQw5@mail.gmail.com> <alpine.BSF.2.00.1102201611490.13814@qvfongpu.qngnvk.ybpny> <AANLkTimeob2Oa6CRzuB8ssTF5mDXXndn00jUcpRtDHK4@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 20, 2011 at 11:16 PM, Maxim Khitrov <max@mxcrypt.com> wrote: > On Sun, Feb 20, 2011 at 4:16 PM, jhell <jhell@dataix.net> wrote: >> >> On Sun, 20 Feb 2011 13:27, eirnym@ wrote: >>> >>> On 20 February 2011 06:50, jhell <jhell@dataix.net> wrote: >>>> >>>> On Fri, 18 Feb 2011 03:26, eirnym@ wrote: >>>>> >>>>> I heard while ago about packet filter update coming, but there're no >>>>> news about. Which status of this update? >>>>> >>>> >>>> This was for OpenBSD pf45 not pf47. The patchset should be somewhere in >>>> the >>>> archives for HEAD. >>>> >>> >>> Differences between pf45 and pf47 are more smaller than between pf45 >>> and current pf. >>> >>> I've found them, but there no status about. Should I ask same question >>> in freebsd-current@ mail list? >>> >> >> Difference being that after pf45 there was a syntax change that is nearly >> incompatible with the current pf41-45 syntax so AFAIR based on that pf45 was >> voted as the most likely to be merged into HEAD. >> >> There is an email from Theo @openbsd.org about the syntactic changes that >> have made people a little jumpy at adopting pf > 45 but eventually it will >> work its way in. >> >> What advantages to using pf47 over using pf45 have you found in ``real use'' >> ? and how realistic are those changes for the masses ? > > The firewall (FreeBSD 7.3) that I manage at work currently contains 36 > nat/rdr rules and 39 filter rules. It's responsible for passing > traffic between 4 different networks. After reading the OpenBSD pf > FAQ, the biggest advantage that I see of pf47+ is the ability to > combine related filter/nat/rdr rules, making the entire ruleset easier > to maintain. > You can do that even today on FreeBSD if you disable ruleset ordering checks. AFAIK the only benefit from the syntax changes are for benefiting in some rare setups and having the possibility to enforce some rules before nat being applied. Other than that i do not see anything else! > Personally, I would love to see the latest version of pf make it into > FreeBSD 9 or even one of the 8.x releases. Compatibility with existing > syntax is not as important to me as the ability to simplify my set of > rules. > > - Max > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikobbyUyVTuk7isZsSpDvq3Z1GTMYrs4cgQWi9d>