Date: Fri, 1 Aug 2014 10:12:24 -0400 From: Paul Kraus <paul@kraus-haus.org> To: Mark Felder <feld@freebsd.org> Cc: freebsd-questions@FreeBSD.org, Gleb Smirnoff <glebius@FreeBSD.org>, Darren Pilgrim <list_freebsd@bluerosetech.com>, freebsd-current@freebsd.org Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <4F589754-EF79-4E59-87FE-08A7DBDF7211@kraus-haus.org> In-Reply-To: <74dec781e44c3a81c78e9c4ff1d51c2a@mail.feld.me> References: <53D9F300.2010308@bluerosetech.com> <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> <53CB4736.90809@bluerosetech.com> <20140729101806.GB89995@FreeBSD.org> <74dec781e44c3a81c78e9c4ff1d51c2a@mail.feld.me>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 1, 2014, at 8:46, Mark Felder <feld@freebsd.org> wrote: > I personally use pf for many reasons, spamd included. I don't think = anyone out there is interested in forking spamd to play ball with ipfw = so we would also be alienating these users who can't just change packet = filters. Is there even an equivalent to pfsync for ipfw? I didn't think = so, but I could be wrong...=20 >=20 > In the world of firewalls pf has been put on a quite a pedestal. = OpenBSD pushed it hard and it marketed it well; people found it both = powerful and easy to use which created a cult following and lots of word = of mouth advertising. I find it hard to agree with removing pf from = FreeBSD because of the existing userbase. If there was an experimental = label on it I would find its removal easier to swallow. I have remained silent on this for two reasons: 1. I am a consumer of FreeBSD. I am a sysadmin, I am NOT a coder and *I* = would not want any code that *I* wrote in the kernel of an OS that I was = running. I know my limitations. So I could not contribute to the = development of pf in FreeBSD 2. Where I use packet filters on a host, and that is not very much, I = tend to use ipfilter because in those case my needs are simple. For = heavy duty (read: gateway) filtering I use commercial firewalls like the = Checkpoint 600 series. So the inclusion or exclusion of pf has no direct = effect on me. Having said all that, the reason I use FreeBSD over other open source = OSes right now is that it is, in my opinion, the most =93grown up=94 = option. I have never seen Linux as an Enterprise tier OS due to a number = of basic design decisions made by Linus and those around him. Illumos is = very good, but fairly narrow in both it=92s hardware support and feature = set. I never took a long hard look at the other BSDs as FreeBSD was = recommended by a friend and I liked what I found, ESPECIALLY the = documentation in the Handbook. I have read a lot of arguments on both sides of the pf in FreeBSD debate = over the past weeks. Realistically I think what it comes down to is = whether there is someone, a person, an individual with the necessary = skill set and drive and desire (and that can be motivated by funding) to = take ownership of it and run with it. If there is not, then I think pf = in FreeBSD dies. No matter how many people want it to continue, no = matter if it is best for FreeBSD for it to continue. Without someone to = take ownership of it, then even if it continues it will not be top = quality, and having something in FreeBSD that is not top quality would = be a mistake (IMHO). -- Paul Kraus paul@kraus-haus.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F589754-EF79-4E59-87FE-08A7DBDF7211>