On Fri, Jun 21, 2013 at 9:49 PM, Stan Gammons <[email protected]> wrote: > I see there are several PF bugs and wondered if it's because PF isn't > maintained on FreeBSD? Perhaps that's the case given the version > differences versus PF on OpenBSD. If not, is Ipfilter the "preferred" > firewall on FreeBSD? Or is IPFW? I like PF, but reporting utilities > for it, compared to ipfilter and even iptables on Linux, leave a bit to > be desired. > > > Stan
For what it's worth, I've been gradually migrating the few firewalls that I maintain to OpenBSD. FreeBSD pf is fine, and it's what I use for protecting individual servers, but I find that the new syntax, which was introduced after OpenBSD 4.5, produces rulesets that are more compact and easier to maintain when it comes to routing traffic between networks. The new priority queuing (set prio) is much simpler than ALTQ (and should perform better, though I haven't tested this). I'm also looking forward to the work that's being done to free HFSC from ALTQ and make it understandable and usable by mere mortals. PF is still my choice on FreeBSD and I've never had any issues with the tools (pfctl and pftop primarily), but OpenBSD's version is more actively maintained and improved. There have been plenty of discussions about porting a more recent version of pf to FreeBSD (search the archives) and it doesn't look like that will happen any time soon. If you'd like to understand the differences between the two, below are a few presentations on the topic: Faster Packets - Performance Tuning in the OpenBSD network stack and pf http://quigon.bsws.de/papers/2009/eurobsdcon-faster_packets/ http://www.youtube.com/watch?v=yqG67o4bYgY 10 years of pf http://quigon.bsws.de/papers/2011/pf10yrs/ http://cisx1.uma.maine.edu/~wbackman/bsdtalk/BSDCan2011/10YearsofPF.mp3 OpenBSD network stack evolution http://quigon.bsws.de/papers/2012/bsdcan/ http://www.youtube.com/watch?v=r6Nx15UGWZc _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
