Tim et al, I don't use pf as a WAN-side firewall, but rather to make my core a bit more "crunchy" by firewalling unnecessary inter-host traffic on the LAN-side of the ABR.
On the "nativity" side of things, pf *is* native in FreeBSD and is present in base, as you know. It was simply developed by the OpenBSD crew (ala OpenSSL and OpenSSH). If it ran on Linux or another UNIX derivative, *then* it would need to be ported to the vastly different internals of the new system. Between *BSDs, though, they share so much architecturally, calling it a "port" is a bit of a misnomer. Most *BSD users prefer pf for the syntactical legibility that other firewall packages (read: ipfw) lack, and the featureset that is competitive with most any commercial firewall on the market. I could not live without it's integration with spamd (also OBSD developed) to tarpit spammers based on procmail/SA filters on my mail servers. The only real alternative to proprietary packages for mainstream UNIX users is ipfilter, which has been ported to everything from Ultrix to Irix 5.3-6.5 to HP-UX 10.20/11i to Solaris. Tru64 and VMS (though not a UNIX) also have ports of ipfilter. In that regard, if one were to standardize on a host-based firewall, ipfilter may very well be the only choice. And it has the added benefit of having a (mostly) legible syntax. Brandon -- If UNIX doesn't have the solution you have the wrong problem. UNIX is simple, but it takes a genius to understand it's simplicity. _______________________________________________ RLUG mailing list [email protected] http://lists.rlug.org/mailman/listinfo/rlug
