Date: Sat, 19 Jul 2014 21:38:50 -0700 From: Adrian Chadd <adrian@freebsd.org> To: Darren Pilgrim <list_freebsd@bluerosetech.com> Cc: "Kristian K. Nielsen" <freebsd@com.jkkn.dk>, Franco Fichtner <franco@lastsummer.de>, freebsd-current <freebsd-current@freebsd.org>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <CAJ-VmokCBP8Kj0WOCnxvTKOY1L-igeboFub8GWyygcXbKpZ-uw@mail.gmail.com> In-Reply-To: <53CB4736.90809@bluerosetech.com> References: <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> <53CB4736.90809@bluerosetech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19 July 2014 21:36, Darren Pilgrim <list_freebsd@bluerosetech.com> wrote: > On 7/18/2014 6:51 AM, Franco Fichtner wrote: >>> >>> c) We never got the new syntax from OpenBSD 4.7's pf - at the time a long >>> discussion on the pf-mailing list flamed the new syntax saying it would >>> cause FreeBSD administrators too much headache. Today on the list it seems >>> everyone wants it - so would we rather stay on a dead branch than keep up >>> with the main stream? >> >> >> I'd say many people are comfortable with an old state of pf (silent >> majority), but that shouldn't keep us from catching up with newer >> features (and of course bugfixes). > > > Never mistake silence for consent. > > The vast majority of people don't know pf is outdated and broken on FreeBSD > because they don't know what they're missing and likely aren't using IPv6 > yet. The moment you turn on IPv6 and restart a validating unbound, you run > full-speed into pf's broken behaviour. Make an EDNS0-enabled query for a > signed zone and you'll get a fragmented UDP packet that will never make it > through unless you tell pf to allow all fragments unconditionally. They'll > simply think something is wrong with unbound, turn off EDNS0 and/or > validation, hurt peformance and/or security in the process, and never > realize their firewall is doing literally the worst possible thing it could > do. > > All because over half a decade ago some folks got all butthurt over a config > file format change. if someone wants to port the up to date pf and can fix whatever performance / parallelism issues creep up, then go for it. -a
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ-VmokCBP8Kj0WOCnxvTKOY1L-igeboFub8GWyygcXbKpZ-uw>