On Wed, Jul 9, 2014 at 2:42 PM, Mark Martinec <mark.martinec+free...@ijs.si> wrote:
> On 2014-07-09 0:32, Kristian K. Nielsen wrote: > >> f) IPv6 support?- it seem to be more and more challenged in the current >> version of pf in FreeBSD and I am (as well as others) introducing more >> and more IPv6 in networks. >> E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, >> which is the bug on not handling IPv6 fragments which have been open >> since 2008 and where the workaround is necessity to leave an open hole >> in your firewall ruleset to allow all fragments. Occoring to comment in >> the bug, this have been long gone in OpenBSD. >> > > The neglect of IPv6 in FreeBSD's pf is a real deal-breaker for us. > Besides the long-standing bugs (like: scrub reassemble tcp > breaks CRC on IPv6), the following stands out: > > Can you be a bit more verbose on this one? > - last time I looked, neither PF nor IPFW could be used on a > FreeBSD kernel built WITHOUT_INET. This means that features > like ssh-guard and per-application protection on a dedicated > IPv6-only host are not available > > I am not sure on the version in FreeBSD 10 but on FreeBSD 9 and before it should be possible to compile without INET afair! Which version of FreeBSD are you testing this on? > - no support for IPv6 prefix translation, > and no stateful NAT64 support > > Part of this is on my queue to be integrated from Open, soon! > > Then, unrelated to IPv6: > > - no support for DSCP (the TOS byte includes ECN bits, hard to > filter out) > > - the new 'match' mechanism would be really nice to have > > All of this is on pfSense side implemented. I cannot state the clear timeline of integration into FreeBSD but patches are avilable for pf from pfSense. > > Mark > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > -- Ermal _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
