From owner-freebsd-questions@FreeBSD.ORG Tue Jul 29 10:18:26 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5A6C0A07; Tue, 29 Jul 2014 10:18:26 +0000 (UTC) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebius.int.ru", Issuer "cell.glebius.int.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D2A192682; Tue, 29 Jul 2014 10:18:24 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.9/8.14.9) with ESMTP id s6TAI7u3030249 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 29 Jul 2014 14:18:07 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.9/8.14.9/Submit) id s6TAI67U030248; Tue, 29 Jul 2014 14:18:06 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 29 Jul 2014 14:18:06 +0400 From: Gleb Smirnoff To: Darren Pilgrim Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <20140729101806.GB89995@FreeBSD.org> References: <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> <53CB4736.90809@bluerosetech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <53CB4736.90809@bluerosetech.com> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: "Kristian K. Nielsen" , Franco Fichtner , freebsd-current@freebsd.org, freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2014 10:18:26 -0000 Darren, On Sat, Jul 19, 2014 at 09:36:06PM -0700, Darren Pilgrim wrote: D> Never mistake silence for consent. D> D> The vast majority of people don't know pf is outdated and broken on D> FreeBSD because they don't know what they're missing and likely aren't D> using IPv6 yet. The moment you turn on IPv6 and restart a validating D> unbound, you run full-speed into pf's broken behaviour. Make an D> EDNS0-enabled query for a signed zone and you'll get a fragmented UDP D> packet that will never make it through unless you tell pf to allow all D> fragments unconditionally. They'll simply think something is wrong with D> unbound, turn off EDNS0 and/or validation, hurt peformance and/or D> security in the process, and never realize their firewall is doing D> literally the worst possible thing it could do. D> D> All because over half a decade ago some folks got all butthurt over a D> config file format change. Do I understand you right, that you propose a tens thousands lines of untrivial code bulk update in order to fix a particular bug, that can be nailed down separately? Do you also say that breaking configuration files for a large number of people is okay if the update is expected to fix a bug unrelated to configuration? For me sounds like hunting a sparrow with a cannon. -- Totus tuus, Glebius.