Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Jul 2014 14:18:06 +0400
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        Darren Pilgrim <list_freebsd@bluerosetech.com>
Cc:        "Kristian K. Nielsen" <freebsd@com.jkkn.dk>, Franco Fichtner <franco@lastsummer.de>, freebsd-current@freebsd.org, freebsd-questions@freebsd.org
Subject:   Re: Future of pf / firewall in FreeBSD ? - does it have one ?
Message-ID:  <20140729101806.GB89995@FreeBSD.org>
In-Reply-To: <53CB4736.90809@bluerosetech.com>
References:  <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> <53CB4736.90809@bluerosetech.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
  Darren,

On Sat, Jul 19, 2014 at 09:36:06PM -0700, Darren Pilgrim wrote:
D> Never mistake silence for consent.
D> 
D> The vast majority of people don't know pf is outdated and broken on 
D> FreeBSD because they don't know what they're missing and likely aren't 
D> using IPv6 yet.  The moment you turn on IPv6 and restart a validating 
D> unbound, you run full-speed into pf's broken behaviour.  Make an 
D> EDNS0-enabled query for a signed zone and you'll get a fragmented UDP 
D> packet that will never make it through unless you tell pf to allow all 
D> fragments unconditionally.  They'll simply think something is wrong with 
D> unbound, turn off EDNS0 and/or validation, hurt peformance and/or 
D> security in the process, and never realize their firewall is doing 
D> literally the worst possible thing it could do.
D> 
D> All because over half a decade ago some folks got all butthurt over a 
D> config file format change.

Do I understand you right, that you propose a tens thousands lines of
untrivial code bulk update in order to fix a particular bug, that can be
nailed down separately? Do you also say that breaking configuration
files for a large number of people is okay if the update is expected
to fix a bug unrelated to configuration?

For me sounds like hunting a sparrow with a cannon.

-- 
Totus tuus, Glebius.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20140729101806.GB89995>