Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-08-01 Thread krad
I always found natting in ipfw rather awkward and harder than in pf. Looking at the man page it doesnt seem to have changed. I should probably give it another go though as it has been about 10 years now On 31 July 2014 14:41, Gleb Smirnoff gleb...@freebsd.org wrote: On Thu, Jul 31, 2014 at

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-08-01 Thread 2802717842
------ From:kradkra...@gmail.com; Date:2014??8??1??(??) 3:39 To:Gleb Smirnoffgleb...@freebsd.org; Cc:freebsd-currentfreebsd-current@freebsd.org;FreeBSD Questionsfreebsd-questi...@freebsd.org; Subject:Re: Future of pf / firewall in FreeBSD ? - does it have one ?

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-08-01 Thread 2802717842
------ From:kradkra...@gmail.com; Date:2014??8??1??(??) 3:39 To:Gleb Smirnoffgleb...@freebsd.org; Cc:freebsd-currentfreebsd-current@freebsd.org;FreeBSD Questionsfreebsd-questi...@freebsd.org; Subject:Re: Future of pf / firewall in FreeBSD ? - does it have one ?

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-08-01 Thread Mark Felder
July 31 2014 2:41 AM, Darren Pilgrim wrote: No. I believe pf should be removed from FreeBSD and efforts refocused on keeping ipfw up to date and feature complete. It makes more sense to look at what pf, ipf, nbtables, etc. are all doing as a source of ideas for what we can do with ipfw. A

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-08-01 Thread Ian Smith
In freebsd-questions Digest, Vol 530, Issue 5, Message: 1 On Thu, 31 Jul 2014 22:02:22 +1000 Da Rock freebsd-questi...@herveybayaustralia.com.au wrote: On 07/29/14 20:35, Gleb Smirnoff wrote: On Sun, Jul 20, 2014 at 12:30:59PM -0400, Mike. wrote: M | imho, the root problem here is that an

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-08-01 Thread Paul Kraus
On Aug 1, 2014, at 8:46, Mark Felder f...@freebsd.org wrote: I personally use pf for many reasons, spamd included. I don't think anyone out there is interested in forking spamd to play ball with ipfw so we would also be alienating these users who can't just change packet filters. Is there

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-08-01 Thread John-Mark Gurney
Cy Schubert wrote this message on Wed, Jul 23, 2014 at 09:18 -0700: In message CAJ-Vmo=_vLkMZn02EPUmpvqugcT8ga1_Kqs=XU49SGUNGEO0Pw@mail.gmail.c om , Adrian Chadd writes: On 18 July 2014 07:34, krad kra...@gmail.com wrote: that is true and I have not problem using man pages, however thats

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-08-01 Thread Julian Elischer
On 8/1/14, 3:39 PM, krad wrote: I always found natting in ipfw rather awkward and harder than in pf. Looking at the man page it doesnt seem to have changed. I should probably give it another go though as it has been about 10 years now since ipfw now has a 'nat' keyword you might say that is has

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-31 Thread Darren Pilgrim
On 7/29/2014 3:18 AM, Gleb Smirnoff wrote: Darren, On Sat, Jul 19, 2014 at 09:36:06PM -0700, Darren Pilgrim wrote: D Never mistake silence for consent. D D The vast majority of people don't know pf is outdated and broken on D FreeBSD because they don't know what they're missing and likely

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-31 Thread Darren Reed
On 30/07/2014 2:54 AM, Kevin Oberman wrote: ... I would hope that is not the case. While NAT66 is well known and has been a topic of discussion for years, NPT66 is relatively new. It does share many concepts with NAT66 (and, most likely implementations also share code), but does not require

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-31 Thread Da Rock
On 07/29/14 20:35, Gleb Smirnoff wrote: On Sun, Jul 20, 2014 at 12:30:59PM -0400, Mike. wrote: M | imho, the root problem here is that an effort to implement a M single M | feature improvement (multi-threading) has caused the FreeBSD M version M | of pf to apparently reach a near-unmaintainable

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-31 Thread Gleb Smirnoff
On Thu, Jul 31, 2014 at 10:02:22PM +1000, Da Rock wrote: D Without diminishing your efforts so far, what do you think about D pitching all efforts into IPFW to combine effort and reduce overhead of D maintaining separate firewalls in the core? Is there an advantage to D having our own pf? Is

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-29 Thread Willem Jan Withagen
On 2014-07-29 0:07, Kevin Oberman wrote: And all IPv6 NAT is evil and should be cast into (demonic residence of your choosing) on sight! NAT on IPv6 serves no useful purpose at all. It only serves to complicate things and make clueless security officers happy. It adds zero security. It is a

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-29 Thread Darren Reed
On 29/07/2014 8:07 AM, Kevin Oberman wrote: ... And all IPv6 NAT is evil and should be cast into (demonic residence of your choosing) on sight! For the most part, I agree with you but the problem is checkbox comparisons. That IPv6 shouldn't be NAT'd is why I didn't implement it for such a long

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-29 Thread Gleb Smirnoff
Darren, On Sat, Jul 19, 2014 at 09:36:06PM -0700, Darren Pilgrim wrote: D Never mistake silence for consent. D D The vast majority of people don't know pf is outdated and broken on D FreeBSD because they don't know what they're missing and likely aren't D using IPv6 yet. The moment you turn

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-29 Thread Gleb Smirnoff
On Sun, Jul 20, 2014 at 12:30:59PM -0400, Mike. wrote: M | imho, the root problem here is that an effort to implement a M single M | feature improvement (multi-threading) has caused the FreeBSD M version M | of pf to apparently reach a near-unmaintainable position in the M | FreeBSD community

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-29 Thread Gleb Smirnoff
Replying to the top of the thread, but the text is actually reply to those people in the thread, who eager for import of new pf from OpenBSD. So, I claim that there is a vast and silent majority of people who simply use pf and do not want the hassle with broken pf.conf. I also claim that

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-29 Thread Gleb Smirnoff
Yet another top reply to everyone. If anyone is interested in maintaining our FreeBSD version of pf and taking strategically right (my opinion!) steps in its life, here is a short TODO list: 1) Make Peter and FreeBSD cluster happy. Work on the IPv6 fragments handling. IMHO, the right way

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-29 Thread Cy Schubert
In message CAN6yY1uHJn4xA-5zFr4fZez3FyXi7tT0LmhyR8yWkqG7k1A+=A@mail.gmail.c om , Kevin Oberman writes: On Mon, Jul 28, 2014 at 2:41 AM, Darren Reed darr...@freebsd.org wrote: On 27/07/2014 4:43 AM, Cy Schubert wrote: In message 53d395e4.1070...@fastmail.net, Darren Reed writes: On

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-29 Thread Mark Martinec
me wrote: we are talking about NAT64 (IPv6-only datacenter's path to a legacy world), and NPT66 (prefix transalation). I doubt anyone had a traditional NAT in mind. Kevin Oberman wrote: No, all of the messages in the thread are specific about NAT66, not NPT66. NPT66 may have real value. I

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-29 Thread Kevin Oberman
On Tue, Jul 29, 2014 at 7:48 AM, Mark Martinec mark.martinec+free...@ijs.si wrote: me wrote: we are talking about NAT64 (IPv6-only datacenter's path to a legacy world), and NPT66 (prefix transalation). I doubt anyone had a traditional NAT in mind. Kevin Oberman wrote: No, all of the

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-29 Thread Adrian Chadd
On 29 July 2014 09:54, Kevin Oberman rkober...@gmail.com wrote: On Tue, Jul 29, 2014 at 7:48 AM, Mark Martinec mark.martinec+free...@ijs.si wrote: me wrote: we are talking about NAT64 (IPv6-only datacenter's path to a legacy world), and NPT66 (prefix transalation). I doubt anyone had a

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-28 Thread Darren Reed
On 27/07/2014 4:43 AM, Cy Schubert wrote: In message 53d395e4.1070...@fastmail.net, Darren Reed writes: On 24/07/2014 1:42 AM, Cy Schubert wrote: But, lack of ipv6 fragment processing still causes ongoing pain. That'= s our=20 #1 wish list item for the cluster. Taking this discussion

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-28 Thread Kevin Oberman
On Mon, Jul 28, 2014 at 2:41 AM, Darren Reed darr...@freebsd.org wrote: On 27/07/2014 4:43 AM, Cy Schubert wrote: In message 53d395e4.1070...@fastmail.net, Darren Reed writes: On 24/07/2014 1:42 AM, Cy Schubert wrote: But, lack of ipv6 fragment processing still causes ongoing pain.

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-28 Thread Mark Martinec
On Mon, Jul 28, 2014 at 2:41 AM, Darren Reed darr...@freebsd.org wrote: [...] IPFilter 5 does IPv6 NAT. With the import of 5.1.2, map, rdr and rewrite rules will all work with IPv6 addresses. NAT66 is a specific implementation of IPv6 NAT behaviour. 2014-07-29 00:07 Kevin Oberman wrote:

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-28 Thread Kevin Oberman
On Mon, Jul 28, 2014 at 4:21 PM, Mark Martinec mark.martinec+free...@ijs.si wrote: On Mon, Jul 28, 2014 at 2:41 AM, Darren Reed darr...@freebsd.org wrote: [...] IPFilter 5 does IPv6 NAT. With the import of 5.1.2, map, rdr and rewrite rules will all work with IPv6 addresses. NAT66 is a

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-26 Thread Darren Reed
On 24/07/2014 1:42 AM, Cy Schubert wrote: But, lack of ipv6 fragment processing still causes ongoing pain. That'= s our=20 #1 wish list item for the cluster. Taking this discussion slightly sideways but touching on this thread a little, each of our packet filters will need nat66 support

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-26 Thread Mark Felder
We've already heard of Henning offering to help port a new pf but the olive branch has been extended even further. He responded to some comments of mine on twitter: @HenningBrauer: @rhymebyter @feldpos I offered help/advice to whomever seriously attempts to update pf in @dragonflybsd AND

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-26 Thread Adrian Chadd
The flow in both directions has to include: * better locking / parallelism * virtualised forwarding support (ie, vimage) If he's happy to include some stubs for that, then sure. I think both dfbsd and freebsd can use the same pf. -a On 26 July 2014 08:27, Mark Felder f...@freebsd.org wrote:

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-26 Thread Cy Schubert
In message 53d395e4.1070...@fastmail.net, Darren Reed writes: On 24/07/2014 1:42 AM, Cy Schubert wrote: But, lack of ipv6 fragment processing still causes ongoing pain. That'= s our=20 #1 wish list item for the cluster. Taking this discussion slightly sideways but touching on this

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-25 Thread Cy Schubert
Sorry for the late reply. It's a busy time right now. In message 53d0239d.1050...@a1poweruser.com, Fbsd8 writes: Cy Schubert wrote: On 20.07.2014 18:15, Maxim Khitrov wrote: In my opinion, the way forward is to forget (at least temporarily) the SMP changes, bring pf in sync with OpenBSD,

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-24 Thread Mark Felder
On Jul 23, 2014, at 15:59, Bjoern A. Zeeb bzeeb-li...@lists.zabbadoz.net wrote: There was (is?) another case that in certain situations with certain pf options IPv6/ULP packets would not pass or get corrupted. I think no one who experienced it never tracked it down to the code but I am

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-24 Thread Mark Felder
On Jul 24, 2014, at 13:43, Mark Felder f...@freebsd.org wrote: Upstream pf from OpenBSD has removed this feature entirely and (I believe) reworked their scrubbing, but I don't know the details. I can confirm that when reassemble tcp existed on OpenBSD it never broke traffic for me.

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-24 Thread Peter Wemm
On Wednesday 23 July 2014 20:59:19 Bjoern A. Zeeb wrote: On 23 Jul 2014, at 20:41 , Allan Jude allanj...@freebsd.org wrote: On 2014-07-23 16:38, Bjoern A. Zeeb wrote: On 23 Jul 2014, at 15:42 , Cy Schubert cy.schub...@komquats.com wrote: Taking this discussion slightly sideways but touching

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-23 Thread Darren Reed
On 21/07/2014 5:14 AM, Eric Masson wrote: krad kra...@gmail.com writes: Hi, I really like the idea of the openpf version, that has been mentioned in this thread. It would be nice but as it's been written in this thread, Open Free internals are quite different beasts, goals are different

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-23 Thread Cy Schubert
In message CAJ-Vmo=_vLkMZn02EPUmpvqugcT8ga1_Kqs=XU49SGUNGEO0Pw@mail.gmail.c om , Adrian Chadd writes: On 18 July 2014 07:34, krad kra...@gmail.com wrote: that is true and I have not problem using man pages, however thats not the way most of the world work and search engines arent exactly new

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-23 Thread Cy Schubert
In message 20381608.hhy3qfh...@overcee.wemm.org, Peter Wemm writes: On Saturday 19 July 2014 13:06:52 Baptiste Daroussin wrote: On Fri, Jul 18, 2014 at 03:22:18PM -0400, Allan Jude wrote: On 2014-07-18 15:07, Adrian Chadd wrote: On 18 July 2014 07:34, krad kra...@gmail.com wrote:

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-23 Thread Cy Schubert
In message 53ccf596.1070...@yandex.ru, Andrey V. Elsukov writes: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --EITUmaAVUtsHLdssNwHpA0G0W8jTQ9d3L Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 20.07.2014 18:15, Maxim Khitrov wrote:

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-23 Thread Cy Schubert
In message alpine.lrh.2.11.1407201430030.2...@nber7.nber.org, Daniel Feenberg writes: On Sun, 20 Jul 2014, Lars Engels wrote: On Sun, Jul 20, 2014 at 12:18:54PM +0100, krad wrote: all of that is true, but you are missing the point. Having two versions of pf on the bsd's at the user

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-23 Thread Bjoern A. Zeeb
On 23 Jul 2014, at 15:42 , Cy Schubert cy.schub...@komquats.com wrote: Taking this discussion slightly sideways but touching on this thread a little, each of our packet filters will need nat66 support too. Pf doesn't support it for sure. I've been told that ipfw may and I suspect ipfilter

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-23 Thread Allan Jude
On 2014-07-23 16:38, Bjoern A. Zeeb wrote: On 23 Jul 2014, at 15:42 , Cy Schubert cy.schub...@komquats.com wrote: Taking this discussion slightly sideways but touching on this thread a little, each of our packet filters will need nat66 support too. Pf doesn't support it for sure. I've been

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-23 Thread Bjoern A. Zeeb
On 23 Jul 2014, at 20:41 , Allan Jude allanj...@freebsd.org wrote: On 2014-07-23 16:38, Bjoern A. Zeeb wrote: On 23 Jul 2014, at 15:42 , Cy Schubert cy.schub...@komquats.com wrote: Taking this discussion slightly sideways but touching on this thread a little, each of our packet filters

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-23 Thread Fbsd8
Cy Schubert wrote: In message 53ccf596.1070...@yandex.ru, Andrey V. Elsukov writes: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --EITUmaAVUtsHLdssNwHpA0G0W8jTQ9d3L Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 20.07.2014 18:15, Maxim

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-21 Thread sthaug
Also, the openbsd stack has some essential features missing in freebsd, like mpls and md5 auth for bgp sessions. I use MD5 auth for BGP sessions every day (and have been doing so for several releases). One could definitely wish for better integration - having to specify MD5 key both

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-21 Thread Andrey V. Elsukov
On 20.07.2014 18:15, Maxim Khitrov wrote: In my opinion, the way forward is to forget (at least temporarily) the SMP changes, bring pf in sync with OpenBSD, put a policy in place to follow their releases as closely as possible, and then try to reintroduce all the SMP work. I think the latter

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-21 Thread Andreas Nilsson
On Mon, Jul 21, 2014 at 8:56 AM, sth...@nethelp.no wrote: Also, the openbsd stack has some essential features missing in freebsd, like mpls and md5 auth for bgp sessions. I use MD5 auth for BGP sessions every day (and have been doing so for several releases). One could

RE: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-21 Thread bycn82
There is no doubt that PF is a really good firewall, But we should noticed that there is an ipfw which is originally from FreeBSD while PF is from OpenBSD. If there is a requirement that PF can meet but ipfw cannot, then I think it is better to improve the ipfw. But if you just like the PF

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-21 Thread Franco Fichtner
Hi Julian, On 21 Jul 2014, at 05:15, Julian Elischer jul...@freebsd.org wrote: Most people I talk to just use ipfw and couldn't care whether pf lives or dies. They have simple requirements and almost any filter would suffice. I haven't found anything I'd want to use pf for that ipfw

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-21 Thread Allan Jude
On 2014-07-21 09:57, bycn82 wrote: There is no doubt that PF is a really good firewall, But we should noticed that there is an ipfw which is originally from FreeBSD while PF is from OpenBSD. If there is a requirement that PF can meet but ipfw cannot, then I think it is better to improve

NPF (was Re: Future of pf / firewall in FreeBSD ? - does it have one ?)

2014-07-21 Thread Pedro Giffuni
FWIW, and while I still wonder why we need three packet filters … There is yet another firewall implementation in NetBSD: http://www.netbsd.org/~rmind/npf/ It seems to be more portable, it is thought with SMP-friendliness in mind and according to a EuroBSDCon talk ports for FreeBSD and Illumos

RE: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-21 Thread bycn82
i thought the nat in ipfw is as elegant as in iptables :) but it is good to know that because different opinion actually is a chance to improve. and why not share with us why the ipfw nat is cumbersome or how to be not cumbersome. -Original Message- From:

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread krad
all of that is true, but you are missing the point. Having two versions of pf on the bsd's at the user level, is a bad thing. It confuses people, which puts them off. Its a classic case of divide an conquer for other platforms. I really like the idea of the openpf version, that has been mentioned

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Lars Engels
On Sun, Jul 20, 2014 at 12:18:54PM +0100, krad wrote: all of that is true, but you are missing the point. Having two versions of pf on the bsd's at the user level, is a bad thing. It confuses people, which puts them off. Its a classic case of divide an conquer for other platforms. I really

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Maxim Khitrov
On Sun, Jul 20, 2014 at 8:39 AM, Lars Engels lars.eng...@0x20.net wrote: On Sun, Jul 20, 2014 at 12:18:54PM +0100, krad wrote: all of that is true, but you are missing the point. Having two versions of pf on the bsd's at the user level, is a bad thing. It confuses people, which puts them off.

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Baptiste Daroussin
On Sun, Jul 20, 2014 at 10:15:36AM -0400, Maxim Khitrov wrote: On Sun, Jul 20, 2014 at 8:39 AM, Lars Engels lars.eng...@0x20.net wrote: On Sun, Jul 20, 2014 at 12:18:54PM +0100, krad wrote: all of that is true, but you are missing the point. Having two versions of pf on the bsd's at the

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Mike.
On 7/19/2014 at 9:36 PM Darren Pilgrim wrote: |On 7/18/2014 6:51 AM, Franco Fichtner wrote: | [snip] | | |All because over half a decade ago some folks got all butthurt over a |config file format change. = I'm juggling two formats for specifying NIC configurations in rc.conf, one

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Franco Fichtner
On 20 Jul 2014, at 15:39, Mike. the.li...@mgm51.com wrote: imho, the root problem here is that an effort to implement a single feature improvement (multi-threading) has caused the FreeBSD version of pf to apparently reach a near-unmaintainable position in the FreeBSD community because

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Mike.
On 7/20/2014 at 5:38 PM Franco Fichtner wrote: |On 20 Jul 2014, at 15:39, Mike. the.li...@mgm51.com wrote: | | imho, the root problem here is that an effort to implement a single | feature improvement (multi-threading) has caused the FreeBSD version | of pf to apparently reach a

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Alexander Kabaev
On Sun, 20 Jul 2014 10:15:36 -0400 Maxim Khitrov m...@mxcrypt.com wrote: On Sun, Jul 20, 2014 at 8:39 AM, Lars Engels lars.eng...@0x20.net wrote: On Sun, Jul 20, 2014 at 12:18:54PM +0100, krad wrote: all of that is true, but you are missing the point. Having two versions of pf on the

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Eric Masson
krad kra...@gmail.com writes: Hi, I really like the idea of the openpf version, that has been mentioned in this thread. It would be nice but as it's been written in this thread, Open Free internals are quite different beasts, goals are different on both platforms, so I doubt OpenPF will

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Daniel Feenberg
On Sun, 20 Jul 2014, Lars Engels wrote: On Sun, Jul 20, 2014 at 12:18:54PM +0100, krad wrote: all of that is true, but you are missing the point. Having two versions of pf on the bsd's at the user level, is a bad thing. It confuses people, which puts them off. Its a classic case of divide an

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Lyndon Nerenberg
On Jul 20, 2014, at 11:35 AM, Daniel Feenberg feenb...@nber.org wrote: Rather they have said An updated pf would not be suitable, as it would be incompatible with existing configuration files. A major FreeBSD version increment is allowed to break that level of backwards compatibility.

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Kurt Jaeger
Hi! And you don't seem to get the point that _someone_ has to do the work. No one has stepped up so far, so nothing is going to change. Franco Fichtner said he's interested in doing it. He probably needs funding. No one with authority has yet said that If an updated pf were available,

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Stephen Hurd
krad wrote: all of that is true, but you are missing the point. Having two versions of pf on the bsd's at the user level, is a bad thing. It confuses people, which puts them off. Its a classic case of divide an conquer for other platforms. I really like the idea of the openpf version, that

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Adrian Chadd
Noone needs to say you can do X. You can just fork freebsd in whatever form you want, update to the latest github and work to eventually get it included. Or you could treat it as an entirely external-from-system plugin module that you compile up - the packet filter hooks API lets you do this

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Andreas Nilsson
On Sun, Jul 20, 2014 at 7:41 PM, Alexander Kabaev kab...@gmail.com wrote: On Sun, 20 Jul 2014 10:15:36 -0400 Maxim Khitrov m...@mxcrypt.com wrote: On Sun, Jul 20, 2014 at 8:39 AM, Lars Engels lars.eng...@0x20.net wrote: On Sun, Jul 20, 2014 at 12:18:54PM +0100, krad wrote: all of

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Daniel Feenberg
On Sun, 20 Jul 2014, Kurt Jaeger wrote: Hi! And you don't seem to get the point that _someone_ has to do the work. No one has stepped up so far, so nothing is going to change. Franco Fichtner said he's interested in doing it. He probably needs funding. No one with authority has yet said

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Julian Elischer
On 7/20/14, 12:36 PM, Darren Pilgrim wrote: The vast majority of people don't know pf is outdated and broken on FreeBSD because they don't know what they're missing and likely aren't using IPv6 yet. s/IPv6/pf/ Most people I talk to just use ipfw and couldn't care whether pf lives or dies.

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Julian Elischer
On 7/21/14, 7:27 AM, Andreas Nilsson wrote: On Sun, Jul 20, 2014 at 7:41 PM, Alexander Kabaev kab...@gmail.com wrote: On Sun, 20 Jul 2014 10:15:36 -0400 Maxim Khitrov m...@mxcrypt.com wrote: On Sun, Jul 20, 2014 at 8:39 AM, Lars Engels lars.eng...@0x20.net wrote: On Sun, Jul 20, 2014 at

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Andreas Nilsson
On Mon, Jul 21, 2014 at 5:24 AM, Julian Elischer jul...@freebsd.org wrote: On 7/21/14, 7:27 AM, Andreas Nilsson wrote: On Sun, Jul 20, 2014 at 7:41 PM, Alexander Kabaev kab...@gmail.com wrote: On Sun, 20 Jul 2014 10:15:36 -0400 Maxim Khitrov m...@mxcrypt.com wrote: On Sun, Jul 20, 2014

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread Andreas Nilsson
On Mon, Jul 21, 2014 at 7:41 AM, sth...@nethelp.no wrote: Also, the openbsd stack has some essential features missing in freebsd, like mpls and md5 auth for bgp sessions. I use MD5 auth for BGP sessions every day (and have been doing so for several releases). One could definitely wish for

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-20 Thread sthaug
Also, the openbsd stack has some essential features missing in freebsd, like mpls and md5 auth for bgp sessions. I use MD5 auth for BGP sessions every day (and have been doing so for several releases). One could definitely wish for better integration - having to specify MD5 key both in

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-19 Thread Stephen Hurd
krad wrote: that is true and I have not problem using man pages, however thats not the way most of the world work and search engines arent exactly new either. We should be trying to engage more people not less, and part of that is reaching out. One of FreeBSD's historic strengths has been the

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-19 Thread Andreas Nilsson
On Sat, Jul 19, 2014 at 4:40 AM, Darren Pilgrim list_free...@bluerosetech.com wrote: On 7/18/2014 4:06 AM, Gleb Smirnoff wrote: K b) We are a major release away from OpenBSD (5.6 coming soon) - is K following OpenBSD's pf the past? - should it be? Following OpenBSD on features would be

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-19 Thread Baptiste Daroussin
On Fri, Jul 18, 2014 at 03:22:18PM -0400, Allan Jude wrote: On 2014-07-18 15:07, Adrian Chadd wrote: On 18 July 2014 07:34, krad kra...@gmail.com wrote: that is true and I have not problem using man pages, however thats not the way most of the world work and search engines arent exactly new

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-19 Thread Mark Felder
On Jul 19, 2014, at 3:35, Andreas Nilsson andrn...@gmail.com wrote: On Sat, Jul 19, 2014 at 4:40 AM, Darren Pilgrim list_free...@bluerosetech.com wrote: On 7/18/2014 4:06 AM, Gleb Smirnoff wrote: K b) We are a major release away from OpenBSD (5.6 coming soon) - is K following OpenBSD's

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-19 Thread Kevin Oberman
On Sat, Jul 19, 2014 at 6:50 AM, Mark Felder f...@freebsd.org wrote: On Jul 19, 2014, at 3:35, Andreas Nilsson andrn...@gmail.com wrote: On Sat, Jul 19, 2014 at 4:40 AM, Darren Pilgrim list_free...@bluerosetech.com wrote: On 7/18/2014 4:06 AM, Gleb Smirnoff wrote: K b) We are a

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-19 Thread Peter Wemm
On Saturday 19 July 2014 13:06:52 Baptiste Daroussin wrote: On Fri, Jul 18, 2014 at 03:22:18PM -0400, Allan Jude wrote: On 2014-07-18 15:07, Adrian Chadd wrote: On 18 July 2014 07:34, krad kra...@gmail.com wrote: that is true and I have not problem using man pages, however thats not

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-19 Thread Darren Pilgrim
On 7/18/2014 6:51 AM, Franco Fichtner wrote: c) We never got the new syntax from OpenBSD 4.7's pf - at the time a long discussion on the pf-mailing list flamed the new syntax saying it would cause FreeBSD administrators too much headache. Today on the list it seems everyone wants it - so

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-19 Thread Adrian Chadd
On 19 July 2014 21:36, Darren Pilgrim list_free...@bluerosetech.com wrote: On 7/18/2014 6:51 AM, Franco Fichtner wrote: c) We never got the new syntax from OpenBSD 4.7's pf - at the time a long discussion on the pf-mailing list flamed the new syntax saying it would cause FreeBSD

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread Gleb Smirnoff
Kristian, On Thu, Jul 17, 2014 at 01:12:09AM +0200, Kristian K. Nielsen wrote: K a) First of all - are any actively developing pf in FreeBSD? No one right now. K b) We are a major release away from OpenBSD (5.6 coming soon) - is K following OpenBSD's pf the past? - should it be? Following

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread krad
I would like to see an updated version of pf. I realize its a big job to port it though On 17 July 2014 00:12, Kristian K. Nielsen free...@com.jkkn.dk wrote: Hi all, I have been encouraged by people on the pf-mailinglist to move this discussion to the current mailinglist since this may be

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread Miroslav Lachman
Gleb Smirnoff wrote, On 07/18/2014 13:06: [...] The pf mailing list is about a dozen of active people. Yes, they are vocal on the new syntax. But there also exist a large number of common FreeBSD users who simply use pf w/o caring about syntax and reading pf mailing list. If we destroy the

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread Gerrit Kühn
On Fri, 18 Jul 2014 15:06:45 +0400 Gleb Smirnoff gleb...@freebsd.org wrote about Re: Future of pf / firewall in FreeBSD ? - does it have one ?: GS The pf mailing list is about a dozen of active people. Yes, they are GS vocal on the new syntax. But there also exist a large number of common GS

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread Mark Felder
July 18 2014 6:07 AM, Gleb Smirnoff wrote: Kristian, On Thu, Jul 17, 2014 at 01:12:09AM +0200, Kristian K. Nielsen wrote: K a) First of all - are any actively developing pf in FreeBSD? No one right now. How do we fix this? Can the FreeBSD Foundation step in and provide funding? Our

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread Gleb Smirnoff
Mark, On Fri, Jul 18, 2014 at 01:31:04PM +, Mark Felder wrote: M On Thu, Jul 17, 2014 at 01:12:09AM +0200, Kristian K. Nielsen wrote: M K a) First of all - are any actively developing pf in FreeBSD? M M No one right now. M M M How do we fix this? Can the FreeBSD Foundation step in

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread Eric Masson
Gleb Smirnoff gleb...@freebsd.org writes: Hi, Following OpenBSD on features would be cool, but no bulk imports would be made again. Bulk imports produce bad quality of port, and also pf in OpenBSD has no multi thread support. Seems this is the Next Big Thing ™ that will hit OpenBSD/pf

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread Franco Fichtner
Hi Kristian, On 17 Jul 2014, at 01:12, Kristian K. Nielsen free...@com.jkkn.dk wrote: a) First of all - are any actively developing pf in FreeBSD? not directly related to FreeBSD, but I was planning to bring DragonFly's pf to a new feature state. We've had a little bit of discussion over the

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread krad
this is also another important point. If you go onto google and search on how to do this and that under pf, you get a mix of freebsd, and openbsd stuff coming up. I havent analysed it but i think the majority of the stuff is openbsd related. THerefore I find some nice solution to my problem, only

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread krad
that is true and I have not problem using man pages, however thats not the way most of the world work and search engines arent exactly new either. We should be trying to engage more people not less, and part of that is reaching out. On 18 July 2014 15:10, Matt Bettinger iam...@gmail.com wrote:

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread Matt Bettinger
Back in the day we didn't have Google to ask the oracle for cut and paste answers. If the man page is accurate that should be good enough. On Jul 18, 2014 8:26 AM, krad kra...@gmail.com wrote: this is also another important point. If you go onto google and search on how to do this and that

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread Adrian Chadd
On 18 July 2014 07:34, krad kra...@gmail.com wrote: that is true and I have not problem using man pages, however thats not the way most of the world work and search engines arent exactly new either. We should be trying to engage more people not less, and part of that is reaching out. Then do

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread Allan Jude
On 2014-07-18 15:07, Adrian Chadd wrote: On 18 July 2014 07:34, krad kra...@gmail.com wrote: that is true and I have not problem using man pages, however thats not the way most of the world work and search engines arent exactly new either. We should be trying to engage more people not less,

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-18 Thread Darren Pilgrim
On 7/18/2014 4:06 AM, Gleb Smirnoff wrote: K b) We are a major release away from OpenBSD (5.6 coming soon) - is K following OpenBSD's pf the past? - should it be? Following OpenBSD on features would be cool, but no bulk imports would be made again. Bulk imports produce bad quality of port, and

Re: Future of pf / firewall in FreeBSD ? - does it have one ?

2014-07-16 Thread Kurt Jaeger
Hi! * Should this or could this be a project for the foundation to either do a summer project or funded project to bring this part of the OS up to date? My 2 cents: Yes, this should be tackled by a dedicated project, even better if funded by the foundation. -- p...@opsec.eu+49