Date: Sat, 6 Apr 2002 21:42:54 -0800 From: "Crist J. Clark" <crist.clark@attbi.com> To: Scott Lampert <scott@lampert.org> Cc: security@FreeBSD.ORG Subject: Re: pf OR ipf ? Message-ID: <20020406214253.H70207@blossom.cjclark.org> In-Reply-To: <20020406144717.5b973afd.scott@lampert.org>; from scott@lampert.org on Sat, Apr 06, 2002 at 02:47:17PM -0800 References: <20020328064640.GA74780@area51.dk> <Pine.LNX.4.44.0203281308070.2202-100000@scribble.fsn.hu> <20020328121200.C97841@blossom.cjclark.org> <20020406144717.5b973afd.scott@lampert.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 06, 2002 at 02:47:17PM -0800, Scott Lampert wrote:
> On Thu, 28 Mar 2002 12:12:00 -0800
> "Crist J. Clark" <cjc@FreeBSD.ORG> wrote:
>
> > On Thu, Mar 28, 2002 at 01:20:40PM +0100, Attila Nagy wrote:
> > > Hello,
> > >
> > > > pf currently runs only on OpenBSD. Jordan Hubbard has expressed
> > > > annoyance with the fact that there are now three filters (ipfw, ipf and
> > > > pf) so it seems unlikely that FreeBSD is going to port it.
> > > I'm sad to hear that. I think diversity is a good thing. With FreeBSD if
> > > you are paranoid you can set up your firewall rules in two packet filters,
> > > which has a different codebase. So if one fails, it is unlikely that the
> > > other will too.
> > > I think it is good to have more than one packet filter in the kernel :)
> > >
> > > With PF some more features could be also ported, like the bridge support.
> > > And that would be a good thing also.
> >
> > There is nothing special about PF that makes bridge support
> > easier. Afterall, there is mature bridging support for IPFilter in
> > OpenBSD. I also recently committed a hack for IPFilter bridging
> > support in -CURRENT. I'll put the -STABLE patches on the website
> > listed in the headers and .sig today if anyone wants 'em.
>
> Please do!
The patch is there.
> Thats the one thing I've really been missing in FreeBSD.
> Any chance of that ever making it into a RELEASE tree?
It's in 5.0-CURRENT so it may make 5.0-RELEASE. ;) I do not plan to
merge the code into 4.x-STABLE in its current form. I really am not
happy with how it works in -CURRENT either, but to get it to work more
cleanly and in a way darrenr suggested, I'd need to modify IPFilter
code, which I have tried to avoid. So the -CURRENT code is
experimental, but that's OK for -CURRENT. It's not OK for -STABLE.
I recently started working fulltime again and don't see myself working
too much on this without funding or some other motivation to "do it
right."
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020406214253.H70207>