Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 1 Aug 2014 10:12:24 -0400
From:      Paul Kraus <paul@kraus-haus.org>
To:        Mark Felder <feld@freebsd.org>
Cc:        freebsd-questions@FreeBSD.org, Gleb Smirnoff <glebius@FreeBSD.org>, Darren Pilgrim <list_freebsd@bluerosetech.com>, freebsd-current@freebsd.org
Subject:   Re: Future of pf / firewall in FreeBSD ? - does it have one ?
Message-ID:  <4F589754-EF79-4E59-87FE-08A7DBDF7211@kraus-haus.org>
In-Reply-To: <74dec781e44c3a81c78e9c4ff1d51c2a@mail.feld.me>
References:  <53D9F300.2010308@bluerosetech.com> <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> <53CB4736.90809@bluerosetech.com> <20140729101806.GB89995@FreeBSD.org> <74dec781e44c3a81c78e9c4ff1d51c2a@mail.feld.me>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Aug 1, 2014, at 8:46, Mark Felder <feld@freebsd.org> wrote:

> I personally use pf for many reasons, spamd included. I don't think =
anyone out there is interested in forking spamd to play ball with ipfw =
so we would also be alienating these users who can't just change packet =
filters. Is there even an equivalent to pfsync for ipfw? I didn't think =
so, but I could be wrong...=20
>=20
> In the world of firewalls pf has been put on a quite a pedestal. =
OpenBSD pushed it hard and it marketed it well; people found it both =
powerful and easy to use which created a cult following and lots of word =
of mouth advertising. I find it hard to agree with removing pf from =
FreeBSD because of the existing userbase. If there was an experimental =
label on it I would find its removal easier to swallow.

I have remained silent on this for two reasons:

1. I am a consumer of FreeBSD. I am a sysadmin, I am NOT a coder and *I* =
would not want any code that *I* wrote in the kernel of an OS that I was =
running. I know my limitations. So I could not contribute to the =
development of pf in FreeBSD

2. Where I use packet filters on a host, and that is not very much, I =
tend to use ipfilter because in those case my needs are simple. For =
heavy duty (read: gateway) filtering I use commercial firewalls like the =
Checkpoint 600 series. So the inclusion or exclusion of pf has no direct =
effect on me.

Having said all that, the reason I use FreeBSD over other open source =
OSes right now is that it is, in my opinion, the most =93grown up=94 =
option. I have never seen Linux as an Enterprise tier OS due to a number =
of basic design decisions made by Linus and those around him. Illumos is =
very good, but fairly narrow in both it=92s hardware support and feature =
set. I never took a long hard look at the other BSDs as FreeBSD was =
recommended by a friend and I liked what I found, ESPECIALLY the =
documentation in the Handbook.

I have read a lot of arguments on both sides of the pf in FreeBSD debate =
over the past weeks. Realistically I think what it comes down to is =
whether there is someone, a person, an individual with the necessary =
skill set and drive and desire (and that can be motivated by funding) to =
take ownership of it and run with it. If there is not, then I think pf =
in FreeBSD dies. No matter how many people want it to continue, no =
matter if it is best for FreeBSD for it to continue. Without someone to =
take ownership of it, then even if it continues it will not be top =
quality, and having something in FreeBSD that is not top quality would =
be a mistake (IMHO).

--
Paul Kraus
paul@kraus-haus.org




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4F589754-EF79-4E59-87FE-08A7DBDF7211>