On 7/18/2014 6:51 AM, Franco Fichtner wrote:
c) We never got the new syntax from OpenBSD 4.7's pf - at the time a long 
discussion on the pf-mailing list flamed the new syntax saying it would cause 
FreeBSD administrators too much headache. Today on the list it seems everyone 
wants it - so would we rather stay on a dead branch than keep up with the main 

I'd say many people are comfortable with an old state of pf (silent
majority), but that shouldn't keep us from catching up with newer
features (and of course bugfixes).

Never mistake silence for consent.

The vast majority of people don't know pf is outdated and broken on FreeBSD because they don't know what they're missing and likely aren't using IPv6 yet. The moment you turn on IPv6 and restart a validating unbound, you run full-speed into pf's broken behaviour. Make an EDNS0-enabled query for a signed zone and you'll get a fragmented UDP packet that will never make it through unless you tell pf to allow all fragments unconditionally. They'll simply think something is wrong with unbound, turn off EDNS0 and/or validation, hurt peformance and/or security in the process, and never realize their firewall is doing literally the worst possible thing it could do.

All because over half a decade ago some folks got all butthurt over a config file format change.
freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to