Le 02/04/2019 à 20:46, MLH a écrit :
I continue to use pf and not npf because :1) I couldn't get std rulesets to seem to work (been a while though) 2) no port redirection 3) dynamic ruleset use didn't appear to be adequate 4) greylisting (not just email) for custom stuff that I can't see how to support in npf. 5) Needs far more documentation and help than I have seen. I would like to move to npf as some future features look nice (SYN floods, DoS attacks, etc). However, in addition to std rulesets, etc, I use log followers to block attacks. While not the main security, they really help hold down traffic, etc. and I'm not anywhere near willing to give them up. I tried using blacklistd but never could get it to work (also been a while).
At least people answer to the question that was asked, so thanks for that already. However, I must say I'm still a bit confused by this answer (and the others I've seen). Do you understand that PF is a clear security risk for your system? Or, you obviously understand, but don't care much? Sure, PF has features NPF doesn't have; but a firewall is supposed to stop the fire, not create the conditions for it to spread. And sure, each software has bugs, but you don't need to have a nobel prize to understand that 11yo unmaintained software has much more bugs than its up-to-date version, in the case of PF it is obviously proven. In essence, if it's that you don't care, then indeed keeping PF may not be a real problem for us, except looking a bit irresponsible. I mean, we don't care either if you give your credit card number to every stranger that calls you on the phone... some responsibility is on the user's side. However, I do believe that our responsibility is still to prevent confusion, even when it implies removing some features. Yes, it is sad if you can't use ftp-proxy on NPF for now, yes NPF's syntax is not the same as PF's, and so on. But NPF equally has many advanced benefits, that you don't get with PF. If you really want to use PF, I would recommend that you switch to another OS, for your own safety. PF has no future in NetBSD. It's been one decade of this, at some point we need to cut the crap.
