From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 00:47:43 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0939831D for ; Thu, 18 Dec 2014 00:47:43 +0000 (UTC) Received: from mail-ob0-f175.google.com (mail-ob0-f175.google.com [209.85.214.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C51991947 for ; Thu, 18 Dec 2014 00:47:42 +0000 (UTC) Received: by mail-ob0-f175.google.com with SMTP id wp4so114525obc.6 for ; Wed, 17 Dec 2014 16:47:41 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=aMJvgFJHAp7ZDzJ2oS3tRMh/Q184jUPVO93kXSd798w=; b=BEsw8LG4+80tt0+tpezZC8XeYyqBKwoF4C3mfjxjYaY1EfBYPCLoTT57LKOQISMIPV Ng4O6q5cNAy+xwSwvXg5t/OS9sXiKzWSUhFJp6ot75YTV8ZNQ06sBzL9xRfg/Bh0Lj/P KKAc6PGeIlQL9PtosNSWHNX4twWCs954tx91T0/QDAwDOOgRhPlHqRLynkaykxYSvHZE RQG8TzrwLa0IUQL0dHylwkr8FLDl59RnW5xMpcnuFusmnHfZUdopsBNhF6+hjs9Mtksr IV8L7XTc8eAXDxGYBra5iEBAyS8QBfJCRSdAcQklS6Qo7+BnVZNbM9D06l0rMrZudYwY jeqQ== X-Gm-Message-State: ALoCoQk5JM3hLw565nm0mPP7eyZyHIevq+p9xb0aNweRM1Cs5FYS+VNxTmPbvKviCMKl2wtZjZAz X-Received: by 10.182.50.168 with SMTP id d8mr27914452obo.2.1418863661509; Wed, 17 Dec 2014 16:47:41 -0800 (PST) Received: from ?IPv6:2610:160:11:33:911a:c3db:259:10bc? ([2610:160:11:33:911a:c3db:259:10bc]) by mx.google.com with ESMTPSA id df13sm2487228oeb.1.2014.12.17.16.47.40 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 17 Dec 2014 16:47:41 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2064\)) Subject: Re: Alternative to pf? From: Jim Thompson In-Reply-To: <20141218001656.GA18291@bsdjunk.com> Date: Wed, 17 Dec 2014 18:47:40 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: <4F19F7E8-0286-4F2F-B4E3-9DCB8B3BFF9B@netgate.com> References: <7be936232e96ae10d9734598014fd9d5@pyret.net> <20141218001656.GA18291@bsdjunk.com> To: Christopher Petrik X-Mailer: Apple Mail (2.2064) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 00:47:43 -0000 > On Dec 17, 2014, at 6:16 PM, Christopher Petrik = wrote: >=20 > On Thu, Dec 18, 2014 at 12:43:59AM +0100, Daniel Engberg wrote: >> Hi, >>=20 >> During the year there has been several discussions regarding the = state of pf >> in FreeBSD. In most cases it seems to boil down to that it's too >> hard/time-consuming to bring upstream patches from OpenBSD to = FreeBSD. As >> it's been mentioned Apple seems to update pf somewhat (copyright is = changed >> to 2013 at least) and file size differs between OS X releases but I = wasn't >> able to find any commit logs. >>=20 >> That said, NetBSD have something similar to pf in syntax called npf = which >> seems actively maintained and the author seems open to the idea of = porting >> it to FreeBSD. >> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 >> However I'm not certain that it surpasses our current pf in terms of >> functionality in all cases (apart from the firewalling ALTQ comes to = mind >> etc). >> Perhaps this might be worth looking into and in the end drop pf due = to the >> reasons above? >>=20 >> That said, don't forget all the work that has gone into getting pf = where it >> is today. >> While I'm at it, does anyone else than me use ALTQ? While it's not >> multithreaded I find a very good "tool" and it does shaping really = well. >>=20 >> Best regards, >> Daniel >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi, > I think the real question is, "Do we really need so many firewall = suites > in FreeBSD" we have ipfw, ipf, pf I think the solution would be to = port > npf as it's bases is to be portable. I use it and it takes some = getting > used to but it looks promising. But then this creates a 4th suite to = add > into FreeBSD ? We could =E2=80=98port=E2=80=99 it to run on top of netmap (like the = version of ipfw that runs over netmap). Then it=E2=80=99s not necessarily =E2=80=9Cin=E2=80=9D FreeBSD. Jim=