Future of pf / firewall in FreeBSD ? - does it have one ?

Hi all,

I have been encouraged by people on the pf-mailinglist to move this =

discussion to the current mailinglist since this may be an area in the =

OS where FreeBSD need to focus on next.

First of all I am a happy user of the pf-firewall module and have been =

for years and think it is really great - the trouble is that lately =

(since 2008) its getting a bit dusty.

The last few years it seem that pf in FreeBSD got a long way away from =

pf in OpenBSD where it originated
- also looking at the ipfilter (ipf) and ipfw - they both to me do not =

seem to be as complete as pf.

So I am curious if any on the mailing could elaborate about what the
future of pf in FreeBSD is or should be.

a) First of all - are any actively developing pf in FreeBSD?

b) We are a major release away from OpenBSD (5.6 coming soon) - is
following OpenBSD's pf the past? - should it be?

c) We never got the new syntax from OpenBSD 4.7's pf - at the time a =

long discussion on the pf-mailing list flamed the new syntax saying it =

would cause FreeBSD administrators too much headache. Today on the list =

it seems everyone wants it - so would we rather stay on a dead branch =

than keep up with the main stream?

d) Anyone working on bringing FreeBSD up to pf 5.6? - seem dead on the =

pf-list.

e) OpenBSD is retiring ALTQ entirely - any thoughts on that?
http://undeadly.org/cgi?action=3Darticle&sid=3D20140419151959

f) IPv6 support?- it seem to be more and more challenged in the current =

version of pf in FreeBSD and I am (as well as others) introducing more =

and more IPv6 in networks.
E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, =

which is the bug on not handling IPv6 fragments which have been open =

since 2008 and where the workaround is necessity to leave an completely =

open hole in your firewall ruleset to allow all fragments. According to =

comment in the bug, this have been long gone in OpenBSD.

g) Performance, can we live with pf-performance that compared to OpenBSD =

is slower by a factor of 3 or 4, even after the multi-core support in =

FreeBSD 10?
(Henning Brauer noted that in this talk at =

http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (at 33:18 and =

36:53)) - credit/Jim Thompson

h) Bringing back patches from pfSense?

And my most important question:

* Should this or could this be a project for the foundation to either do =

a summer project or funded project to bring this part of the OS up to date?

Hope to heard from you all,

Best regards,

Kristian Kr=E6mmer Nielsen,
Odense, Denmark

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"