Date: Mon, 21 Feb 2011 09:17:55 +0100 From: Damien Fleuriot <ml@my.gd> To: Maxim Khitrov <max@mxcrypt.com> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: PF from OpenBSD 4.7 Message-ID: <9EFB32D1-489C-44C5-8D70-95685099AC03@my.gd> In-Reply-To: <AANLkTimeob2Oa6CRzuB8ssTF5mDXXndn00jUcpRtDHK4@mail.gmail.com> References: <AANLkTi=P_KikS_GHn1h265ScL%2BcbwN1q4VitaMcWVuWx@mail.gmail.com> <alpine.BSF.2.00.1102192242110.4222@qvfongpu.qngnvk.ybpny> <AANLkTinqockMyjNjxesATm1yFNdRNBVcUaG=Z2a0PQw5@mail.gmail.com> <alpine.BSF.2.00.1102201611490.13814@qvfongpu.qngnvk.ybpny> <AANLkTimeob2Oa6CRzuB8ssTF5mDXXndn00jUcpRtDHK4@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20 Feb 2011, at 23:16, Maxim Khitrov <max@mxcrypt.com> wrote: > On Sun, Feb 20, 2011 at 4:16 PM, jhell <jhell@dataix.net> wrote: >>=20 >> On Sun, 20 Feb 2011 13:27, eirnym@ wrote: >>>=20 >>> On 20 February 2011 06:50, jhell <jhell@dataix.net> wrote: >>>>=20 >>>> On Fri, 18 Feb 2011 03:26, eirnym@ wrote: >>>>>=20 >>>>> I heard while ago about packet filter update coming, but there're no >>>>> news about. Which status of this update? >>>>>=20 >>>>=20 >>>> This was for OpenBSD pf45 not pf47. The patchset should be somewhere in= >>>> the >>>> archives for HEAD. >>>>=20 >>>=20 >>> Differences between pf45 and pf47 are more smaller than between pf45 >>> and current pf. >>>=20 >>> I've found them, but there no status about. Should I ask same question >>> in freebsd-current@ mail list? >>>=20 >>=20 >> Difference being that after pf45 there was a syntax change that is nearly= >> incompatible with the current pf41-45 syntax so AFAIR based on that pf45 w= as >> voted as the most likely to be merged into HEAD. >>=20 >> There is an email from Theo @openbsd.org about the syntactic changes that= >> have made people a little jumpy at adopting pf > 45 but eventually it wil= l >> work its way in. >>=20 >> What advantages to using pf47 over using pf45 have you found in ``real us= e'' >> ? and how realistic are those changes for the masses ? >=20 > The firewall (FreeBSD 7.3) that I manage at work currently contains 36 > nat/rdr rules and 39 filter rules. It's responsible for passing > traffic between 4 different networks. After reading the OpenBSD pf > FAQ, the biggest advantage that I see of pf47+ is the ability to > combine related filter/nat/rdr rules, making the entire ruleset easier > to maintain. >=20 See it another way, you've got as little as 70 rules to maintain, overall. I have 1k ish spread over roughly 20 PF boxes. While I yearn for the ability to use include directives and such, my main co= ncern remains that during an upgrade the risk be minimal. > Personally, I would love to see the latest version of pf make it into > FreeBSD 9 or even one of the 8.x releases. Compatibility with existing > syntax is not as important to me as the ability to simplify my set of > rules. >=20 As a matter of fact and without considering wether this would be doable or n= ot: It would be awesome to be able to choose in the kernel config file the desir= ed version for pf. Have both pf45 and pf47, with the current "pf" entry referring to pf45 not t= o break anything. Would that even be feasible guys ? > - Max > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9EFB32D1-489C-44C5-8D70-95685099AC03>