From owner-freebsd-questions@FreeBSD.ORG Thu Jul 31 07:41:07 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4299D65D; Thu, 31 Jul 2014 07:41:07 +0000 (UTC) Received: from mario.brtsvcs.net (mario.brtsvcs.net [IPv6:2607:fc50:0:a400::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 164762544; Thu, 31 Jul 2014 07:41:06 +0000 (UTC) Received: from chombo.houseloki.net (c-73-37-112-64.hsd1.or.comcast.net [73.37.112.64]) by mario.brtsvcs.net (Postfix) with ESMTPSA id F1B7A2C1630; Thu, 31 Jul 2014 00:40:57 -0700 (PDT) Received: from [IPv6:2601:7:2280:38b:baca:3aff:fe83:bd29] (unknown [IPv6:2601:7:2280:38b:baca:3aff:fe83:bd29]) by chombo.houseloki.net (Postfix) with ESMTPSA id 6F6DDD73; Thu, 31 Jul 2014 00:40:55 -0700 (PDT) Message-ID: <53D9F300.2010308@bluerosetech.com> Date: Thu, 31 Jul 2014 00:40:48 -0700 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Gleb Smirnoff Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? References: <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> <53CB4736.90809@bluerosetech.com> <20140729101806.GB89995@FreeBSD.org> In-Reply-To: <20140729101806.GB89995@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Kristian K. Nielsen" , Franco Fichtner , freebsd-current@freebsd.org, freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2014 07:41:07 -0000 On 7/29/2014 3:18 AM, Gleb Smirnoff wrote: > Darren, > > On Sat, Jul 19, 2014 at 09:36:06PM -0700, Darren Pilgrim wrote: > D> Never mistake silence for consent. > D> > D> The vast majority of people don't know pf is outdated and broken on > D> FreeBSD because they don't know what they're missing and likely aren't > D> using IPv6 yet. The moment you turn on IPv6 and restart a validating > D> unbound, you run full-speed into pf's broken behaviour. Make an > D> EDNS0-enabled query for a signed zone and you'll get a fragmented UDP > D> packet that will never make it through unless you tell pf to allow all > D> fragments unconditionally. They'll simply think something is wrong with > D> unbound, turn off EDNS0 and/or validation, hurt peformance and/or > D> security in the process, and never realize their firewall is doing > D> literally the worst possible thing it could do. > D> > D> All because over half a decade ago some folks got all butthurt over a > D> config file format change. > > Do I understand you right, that you propose a tens thousands lines of > untrivial code bulk update in order to fix a particular bug, that can be > nailed down separately? No. I believe pf should be removed from FreeBSD and efforts refocused on keeping ipfw up to date and feature complete. It makes more sense to look at what pf, ipf, nbtables, etc. are all doing as a source of ideas for what we can do with ipfw. A decade ago, there was justification for adding pf: at the time, ipfw lacked some major features. Ipfw has since caught up. I see no remaining value in having more than one packet filter in the base. Ipfw is more mature and less broken, so we should keep it and ditch the rest in the name of survival efficiency. > Do you also say that breaking configuration > files for a large number of people is okay if the update is expected > to fix a bug unrelated to configuration? Yes. Loss of configuration file backward compatibility is a fact of progress. Here are some examples of places where FreeBSD broke backward compatibility of a configuration file: - rc.conf (with every major version change) - resolv.conf - kernels - make.conf vs. src.conf - the ports collection - pkg vs. pkgng - pkgng changes within pkgng 1.x On top of that, we also have whole chunks of the OS where compatibility was broken (e.g., the toolchain, switch to unbound, etc.). > For me sounds like hunting a sparrow with a cannon. The whole thing, to me, was an example of lobbyist politics: a vocal minority had the resources and access to stop progress. Now we are all suffering for their ignorance and arrogance. If anything, we should rename pf to tppf (short for "Tea Party Packet Filter").