From owner-freebsd-current@FreeBSD.ORG Fri Aug 1 12:46:21 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 477FDB51; Fri, 1 Aug 2014 12:46:21 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.feld.me", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D7A932968; Fri, 1 Aug 2014 12:46:20 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id 1f9a8358; Fri, 1 Aug 2014 07:46:09 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=feld.me; h=mime-version :date:content-type:content-transfer-encoding:message-id:from :subject:to:cc:in-reply-to:references:sender; s=blargle2; bh=Gk6 Jx9A5ErnVDFRd6ea8rYnhe/g=; b=ySRLoGJIvsreI7Cud7NK/EbVUF+8SnDjs/D XuydgoJAVNXlN/aB+bCtZvyI5+JP3x1jKcVf8GIoTvlo0KXDTftwz3wNxlJsMKX5 3KCL+EOtpE26KBlu6ZG1AvzMbnSzhkjAJ7OnupZ+GsrxOvgpweKRQIRiojkqxyii dYKyhlg+8uAWhOopI07sE2xFMw2epczdxe4BVAsXI1vCk/J338LbNpyFy0iKr9VQ 2aJW7RasEAXf3IWfILfuEqa9CgRCPpF8/tle6vylFW+qyiEORf49Jjrs8Y4irzgQ uWat83i90y1CzxKE9ri1vLKxGnCCA73HP0ejeVOv/GOJISiB8dQ== DomainKey-Signature: a=rsa-sha1; c=nofws; d=feld.me; h=mime-version:date :content-type:content-transfer-encoding:message-id:from:subject :to:cc:in-reply-to:references:sender; q=dns; s=blargle2; b=MnCrL 47E4fVxC9S+I9wEtLMuAtZLiGdomMdBfWp1NYXlY9iy/qBuYJ4KJzJmz/+kIA94C Uw82b+odsA/CXY42PUmWw5IttvLJA30cpjUWq6qYKGNxSzWCsK5wWdhYjYiH81m9 GbKFt7A2wQt03FDux/xY6BpVyuzsJU3W9F6e71GyIBwRPWOGdng548p1sTnECDrZ HAKifrg6laxXFiq/s/oFBLl8etao4DypJlmzXEdounsf6LPGMSfvoq6zPgHody3v F0E5VVIGwLMfhGyNivf91k7kwtGTHy6xSodMaeabPYYt2q1VKso0W8cB7zxs9b4j BR7X6JwjvB8yALgow== Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id 2566f43c; Fri, 1 Aug 2014 07:46:09 -0500 (CDT) Received: from feld@feld.me by mail.feld.me (Archiveopteryx 3.2.0) with esmtpa id 1406897168-26244-26241/5/9; Fri, 1 Aug 2014 12:46:08 +0000 Mime-Version: 1.0 Date: Fri, 1 Aug 2014 12:46:08 +0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-Id: <74dec781e44c3a81c78e9c4ff1d51c2a@mail.feld.me> X-Mailer: RainLoop/1.6.8.151 From: Mark Felder Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? To: Darren Pilgrim , Gleb Smirnoff In-Reply-To: <53D9F300.2010308@bluerosetech.com> References: <53D9F300.2010308@bluerosetech.com> <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> <53CB4736.90809@bluerosetech.com> <20140729101806.GB89995@FreeBSD.org> Sender: feld@feld.me Cc: freebsd-current@freebsd.org, freebsd-questions@FreeBSD.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2014 12:46:21 -0000 July 31 2014 2:41 AM, "Darren Pilgrim" wrote: >> >> No. I believe pf should be removed from FreeBSD and efforts refocused >> on keeping ipfw up to date and feature complete. It makes more sense = to >> look at what pf, ipf, nbtables, etc. are all doing as a source of = ideas >> for what we can do with ipfw. A decade ago, there was justification = for >> adding pf: at the time, ipfw lacked some major features. >> >> Ipfw has since caught up. I see no remaining value in having more than >> one packet filter in the base. Ipfw is more mature and less broken, so >> we should keep it and ditch the rest in the name of survival efficienc= y. >> pf is not simply replaceable in many environments. For example, people = use it specifically for its integration with the spamd greylisting = daemon. I think it's reasonable to assume they did so because the whole = spam filtering stack performs better on FreeBSD than on OpenBSD. This = was just recently mentioned on twitter: @ng_security Why was the pf ioctl needed buffer reduced in FreeBSD 10? I'm not able = to load my full spamd blacklist anymore. @freebsd #spamd #pf https://twitter.com/ng_security/status/494982307905040384 I personally use pf for many reasons, spamd included. I don't think = anyone out there is interested in forking spamd to play ball with ipfw = so we would also be alienating these users who can't just change packet = filters. Is there even an equivalent to pfsync for ipfw? I didn't think = so, but I could be wrong...=20 In the world of firewalls pf has been put on a quite a pedestal. OpenBSD = pushed it hard and it marketed it well; people found it both powerful = and easy to use which created a cult following and lots of word of mouth = advertising. I find it hard to agree with removing pf from FreeBSD = because of the existing userbase. If there was an experimental label on = it I would find its removal easier to swallow. I think it's worth pointing out that nobody really wanted to maintain an = incompatible fork of ZFS indefinitely either; it would be a monumental = if not suicidal task. And who wants to deal with the bad PR about = FreeBSD being years behind Illumos features or, *gasp*, even letting a = native Linux implementation one-up us? People found a way to collaborate,= OpenZFS movement was founded, and this is a mostly solved problem, OS = nuances aside. I can appreciate that people seem to care more about = their data than their packet filters and FreeBSD ZFS certainly moves a = lot of servers and appliances furthering the userbase whether or not = they're using FreeBSD or TrueOS or some other derivative. Let's continue = to give people another reason to put FreeBSD in their datacenters. Let's = try to compete in the firewall/packet filter space too. On a side note I'd also like to point out that FreeBSD has been advertisi= ng pf by listing it first in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html I'm sure there's a subliminal message being sent there, intentional or = not. I don't want to see FreeBSD lose mindshare from its absence in a time = where FreeBSD uptake seems to be rising thanks in part to bad decisions = in the GNU/Linux camp. This feels like a solvable problem if funding and = enthusiasm is put behind it. OpenBSD really sounds willing to collaborate= if not just because they're tired of seeing neglected forks of one of = their prized babies: FreeBSD, NetBSD, DragonFlyBSD, OSX, iOS...