Re: Future of pf / firewall in FreeBSD ? - does it have one ?

On 19 July 2014 21:36, Darren Pilgrim <list_freebsd@bluerosetech.com> wrote:
> On 7/18/2014 6:51 AM, Franco Fichtner wrote:
>>>
>>> c) We never got the new syntax from OpenBSD 4.7's pf - at the time a long
>>> discussion on the pf-mailing list flamed the new syntax saying it would
>>> cause FreeBSD administrators too much headache. Today on the list it seems
>>> everyone wants it - so would we rather stay on a dead branch than keep up
>>> with the main stream?
>>
>>
>> I'd say many people are comfortable with an old state of pf (silent
>> majority), but that shouldn't keep us from catching up with newer
>> features (and of course bugfixes).
>
>
> Never mistake silence for consent.
>
> The vast majority of people don't know pf is outdated and broken on FreeBSD
> because they don't know what they're missing and likely aren't using IPv6
> yet.  The moment you turn on IPv6 and restart a validating unbound, you run
> full-speed into pf's broken behaviour.  Make an EDNS0-enabled query for a
> signed zone and you'll get a fragmented UDP packet that will never make it
> through unless you tell pf to allow all fragments unconditionally.  They'll
> simply think something is wrong with unbound, turn off EDNS0 and/or
> validation, hurt peformance and/or security in the process, and never
> realize their firewall is doing literally the worst possible thing it could
> do.
>
> All because over half a decade ago some folks got all butthurt over a config
> file format change.

if someone wants to port the up to date pf and can fix whatever
performance / parallelism issues creep up, then go for it.

-a
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"