Hello, If you ignore the feature comparison with npf and you are and avid PF on NetBSD fan, you should be concerned with the following:
On 29/03/2019 20:26, Maxime Villard wrote: > Currently, NetBSD's PF is 11 years old, has received no maintenance, > and has accumulated bugs and vulnerabilities that were fixed upstream > but not in NetBSD. The latest examples are two vulnerabilities > recently discovered in PF, that haven't been fixed in NetBSD's PF by > lack of interest. Your firewall of choice in NetBSD (PF) is lacking many bug fixes which need to be integrated either by back porting or importing an up to date version of pf. It is irresponsible to ship an insecure firewall with known issues and an added burden to the security team. To address the security issues requires paying off a huge amount of technical debt in the form of bringing things up to date with upstream version of PF or analysing and back porting changes. Should NetBSD-9 ship with a version of PF with known security issues? Is anyone willing to step forward and take on the work? Sevan
