From owner-freebsd-questions@FreeBSD.ORG Fri Aug 1 14:12:33 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 18B2EB3 for ; Fri, 1 Aug 2014 14:12:33 +0000 (UTC) Received: from mail-qa0-f42.google.com (mail-qa0-f42.google.com [209.85.216.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C6DA325D7 for ; Fri, 1 Aug 2014 14:12:32 +0000 (UTC) Received: by mail-qa0-f42.google.com with SMTP id j15so3973369qaq.15 for ; Fri, 01 Aug 2014 07:12:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=gihBDKF4k4g7lgVxhhYZtW3cB8cQr5KJlzc6+hdLtHY=; b=nNH5hWuASGJYQdSzCerUuPvZioAEYqQI5E27eBD179FxlJLD8ZN4spjXAvjDhR2+R5 uKfajW/PrLkoS3WpNFv8226rszDQZzx+2wgBM1wZP5uLgwtlzS14dNWJOLBIbYpGv4Zl ehux44idJ06uoodkKuFscDi3Qgg4sgdsu4TsgEI/qtBoM/2TtfJ7IsdxCa5j7CJ7XzN+ OHSZLqJjkAQsTzF7b8FVGQqM3HysmRpbWW3fcInQ61dY/MyeZynz1h/XA1L4p9AfmK1A NJMlAsSNLH7lyN+utDYb/h0ew2sv84VzxLgDBdyPdGYn39yKFXPYOAZhWlIJQ9BNoy4a w/Mg== X-Gm-Message-State: ALoCoQkJqhyodIv+kyz9X0jUjxO/R8d2jpR911Iu8slVJUvSDbf7YIiX7cA98MP7dnencKNsb4bJ X-Received: by 10.140.30.73 with SMTP id c67mr8954687qgc.16.1406902345919; Fri, 01 Aug 2014 07:12:25 -0700 (PDT) Received: from [192.168.2.65] ([96.236.21.80]) by mx.google.com with ESMTPSA id x12sm15299760qaw.1.2014.08.01.07.12.24 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 01 Aug 2014 07:12:25 -0700 (PDT) Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Content-Type: text/plain; charset=windows-1252 From: Paul Kraus In-Reply-To: <74dec781e44c3a81c78e9c4ff1d51c2a@mail.feld.me> Date: Fri, 1 Aug 2014 10:12:24 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <4F589754-EF79-4E59-87FE-08A7DBDF7211@kraus-haus.org> References: <53D9F300.2010308@bluerosetech.com> <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> <53CB4736.90809@bluerosetech.com> <20140729101806.GB89995@FreeBSD.org> <74dec781e44c3a81c78e9c4ff1d51c2a@mail.feld.me> To: Mark Felder X-Mailer: Apple Mail (2.1878.6) Cc: freebsd-questions@FreeBSD.org, Gleb Smirnoff , Darren Pilgrim , freebsd-current@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2014 14:12:33 -0000 On Aug 1, 2014, at 8:46, Mark Felder wrote: > I personally use pf for many reasons, spamd included. I don't think = anyone out there is interested in forking spamd to play ball with ipfw = so we would also be alienating these users who can't just change packet = filters. Is there even an equivalent to pfsync for ipfw? I didn't think = so, but I could be wrong...=20 >=20 > In the world of firewalls pf has been put on a quite a pedestal. = OpenBSD pushed it hard and it marketed it well; people found it both = powerful and easy to use which created a cult following and lots of word = of mouth advertising. I find it hard to agree with removing pf from = FreeBSD because of the existing userbase. If there was an experimental = label on it I would find its removal easier to swallow. I have remained silent on this for two reasons: 1. I am a consumer of FreeBSD. I am a sysadmin, I am NOT a coder and *I* = would not want any code that *I* wrote in the kernel of an OS that I was = running. I know my limitations. So I could not contribute to the = development of pf in FreeBSD 2. Where I use packet filters on a host, and that is not very much, I = tend to use ipfilter because in those case my needs are simple. For = heavy duty (read: gateway) filtering I use commercial firewalls like the = Checkpoint 600 series. So the inclusion or exclusion of pf has no direct = effect on me. Having said all that, the reason I use FreeBSD over other open source = OSes right now is that it is, in my opinion, the most =93grown up=94 = option. I have never seen Linux as an Enterprise tier OS due to a number = of basic design decisions made by Linus and those around him. Illumos is = very good, but fairly narrow in both it=92s hardware support and feature = set. I never took a long hard look at the other BSDs as FreeBSD was = recommended by a friend and I liked what I found, ESPECIALLY the = documentation in the Handbook. I have read a lot of arguments on both sides of the pf in FreeBSD debate = over the past weeks. Realistically I think what it comes down to is = whether there is someone, a person, an individual with the necessary = skill set and drive and desire (and that can be motivated by funding) to = take ownership of it and run with it. If there is not, then I think pf = in FreeBSD dies. No matter how many people want it to continue, no = matter if it is best for FreeBSD for it to continue. Without someone to = take ownership of it, then even if it continues it will not be top = quality, and having something in FreeBSD that is not top quality would = be a mistake (IMHO). -- Paul Kraus paul@kraus-haus.org