Date: Wed, 31 Dec 2014 16:34:22 -0800 From: "Chris H" <bsd-lists@bsdforge.com> To: <freebsd-hackers@freebsd.org> Subject: Re: [FreeBSD 11 Wishlist] Replacing an OpenBSD Firewall Message-ID: <31923e8f7993d5459dbd4df275f3c880@ultimatedns.net> In-Reply-To: <54A3F893.5010700@freebsd.org> References: <1419995051.3716640.208176841.1676669A@webmail.messagingengine.com>, <54A3F893.5010700@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 31 Dec 2014 05:22:27 -0800 Nathan Whitehorn <nwhitehorn@freebsd.org> wrote > On 12/30/14 19:04, Mark Felder wrote: > > After finding today that some of my intermittent home network problems > > are likely due to OpenBSD being unable to keep time* on my PC Engines > > APU4 firewall I am attempting yet again to run FreeBSD in this role. > > > > Here are my pain points that made me go with OpenBSD for so long: > > > > 1) No IPSEC in GENERIC > > 2) if_stf not having 6rd support (paging hrs@) > > I'll second this. I'll third this. > I'd note, however, that you can get 6RD working with > gif(4) perfectly well so long as you don't care about reaching other > customers on your local network segment. I've been using this for the > last 6 months. I've been using stf w/o gif(4) for ~1yr. First on RELENG_8, and now on RELENG_9 && 11-CURRENT, using patches kindly provided on the net@ list, when I also inquired about RA (stf) support. But, as you mentioned; with the caveat of being unable to communicate with others on the local net segment. --Chris > -Nathan > > > 3) pf issues: ipv6 checksums, fragments > > 4) pf syntax (ok, this is really an "I wish...") > > > > I noticed net/stf-6rd-kmod now has a patch for FreeBSD 10 so I grabbed > > the diff and built an IPSEC kernel with this patch applied. I'm now > > mostly up and running except for the fact that I have no idea how to > > configure stf for 6rd. There don't seem to be any docs/examples > > anywhere. Unfortunately the man page edits in the diff don't give me any > > details. I'd love to see a simple example because I'm completely lost > > right now. > > > > In conclusion: > > - Let's get IPSEC into GENERIC or make it accessible for users via pkg. > > It will need to receive the same treatment as GENERIC's freebsd-update > > patches. > > - Can we please get 6rd support in head? I understand these shims have > > lost a lot of interest/momentum but native IPv6 isn't coming soon for > > most people. > > - Glad to see pf patches flowing in: ipv6, checksum, vnet, etc. Thanks > > everyone! > > > > > > I will say I'm completely baffled by one thing though: the concept of > > having rtadvd in base, but no dhcpd in base. That doesn't make any sense > > to me. Shouldn't rtadvd be moved to ports? > > > > > > > > *For those curious, OpenBSD falls behind several seconds per minute and > > sometimes jumps hundreds behind. It's not a hardware issue as FreeBSD > > runs fine. Changing time counters in OpenBSD didn't work. This probably > > started around the time I upgraded to OpenBSD 5.6, but I'm not sure. > > _______________________________________________ > > freebsd-hackers@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?31923e8f7993d5459dbd4df275f3c880>