Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Jul 2014 14:18:06 +0400
From:      Gleb Smirnoff <>
To:        Darren Pilgrim <>
Cc:        "Kristian K. Nielsen" <>, Franco Fichtner <>,,
Subject:   Re: Future of pf / firewall in FreeBSD ? - does it have one ?
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Sat, Jul 19, 2014 at 09:36:06PM -0700, Darren Pilgrim wrote:
D> Never mistake silence for consent.
D> The vast majority of people don't know pf is outdated and broken on 
D> FreeBSD because they don't know what they're missing and likely aren't 
D> using IPv6 yet.  The moment you turn on IPv6 and restart a validating 
D> unbound, you run full-speed into pf's broken behaviour.  Make an 
D> EDNS0-enabled query for a signed zone and you'll get a fragmented UDP 
D> packet that will never make it through unless you tell pf to allow all 
D> fragments unconditionally.  They'll simply think something is wrong with 
D> unbound, turn off EDNS0 and/or validation, hurt peformance and/or 
D> security in the process, and never realize their firewall is doing 
D> literally the worst possible thing it could do.
D> All because over half a decade ago some folks got all butthurt over a 
D> config file format change.

Do I understand you right, that you propose a tens thousands lines of
untrivial code bulk update in order to fix a particular bug, that can be
nailed down separately? Do you also say that breaking configuration
files for a large number of people is okay if the update is expected
to fix a bug unrelated to configuration?

For me sounds like hunting a sparrow with a cannon.

Totus tuus, Glebius.

Want to link to this message? Use this URL: <>