On 2014-07-09 0:32, Kristian K. Nielsen wrote:
f) IPv6 support?- it seem to be more and more challenged in the current version of pf in FreeBSD and I am (as well as others) introducing more and more IPv6 in networks. E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, which is the bug on not handling IPv6 fragments which have been open since 2008 and where the workaround is necessity to leave an open hole in your firewall ruleset to allow all fragments. Occoring to comment in the bug, this have been long gone in OpenBSD.
The neglect of IPv6 in FreeBSD's pf is a real deal-breaker for us. Besides the long-standing bugs (like: scrub reassemble tcp breaks CRC on IPv6), the following stands out: - last time I looked, neither PF nor IPFW could be used on a FreeBSD kernel built WITHOUT_INET. This means that features like ssh-guard and per-application protection on a dedicated IPv6-only host are not available - no support for IPv6 prefix translation, and no stateful NAT64 support Then, unrelated to IPv6: - no support for DSCP (the TOS byte includes ECN bits, hard to filter out) - the new 'match' mechanism would be really nice to have Mark _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
