Re: pf or npf?

2016-02-25 Thread Jan Danielsson 
On 25/02/16 19:40, Jukka Marin wrote:
> I'm setting up a new gateway machine (NetBSD 7.0).  My old gateway is based
> on NetBSD 6.0 and pf.  Can I use pf on NetBSD 7.0 or should I move to npf?
> Why?

   My router panics (in pf) from time to time (NetBSD/amd64 6.1.x).
Also, I run miniupnpd (because I need UPnP), and while the rules will
successfully be created in pf, inbound UDP packets more often than not
will not pass through.  For me pf is a little flaky, so I'm always on
the side of moving away from it.  But to be fair, it seems more stable
for others..

   If it weren't for me needing UPnP, I would have moved to npf a long
time ago.

> I have found more examples and manuals for pf, and moving to npf seems like
> extra work.  With pf, I could also copy my config over with minor
> modifications (I guess).

   If you don't have any specific needs (like UPnP), then I would say
it's a good opportunity to do the migration.

   I did convert one of my pf configurations to npf (I was looking into
adding npf support to miniupnpd), and it was definitely not a huge task.

-- 
Kind Regards,
Jan

Re: pf or npf?

2016-02-25 Thread Swift Griggs 

On Thu, 25 Feb 2016, John Nemeth wrote:
You didn't ask, but I'll add that the third option is ipfilter. It sits 
somewhere in the middle.  It hasn't seen a lot of maintenance or 
enhancement lately, but it is still much newer then pf.


Just FYI, the last version was 4.1.33 and was released 2013-04-24 
according to source forge. Looks like Darren Reed still runs the project, 
but as you say, there isn't any action lately.



It is also quite stable and usable.


I still use it on Tru64 5.1B as it is the only realistic and free option 
available that I'm aware of. I've also used it on Solaris 8, IRIX 6.2 and 
6.5, Unixware 7, QNX, and HPUX.


I don't know much about all the bitchery and crying that went on between 
Darren and Theo. *shrug*. I will just say ipfilter works amazingly great 
considering some of the challenging and crappy situations I've put it in. 
Years ago I ran a firewall with IRIX 6.2 that was up for about 3 years 
with no issues at all (yeah, laugh it up at IRIX, but it was beat on 
constantly and nobody hacked it).


All that said, I'm excited about NPF, too. Finally our own code we can go 
fine-grain or lockless on. That should help us push the turbo-button on 
the filtering performance. Congrats to Mr. Rasiukevicius and friends on a 
great job so far!


-Swift

Re: pf or npf?

2016-02-25 Thread Marc Balmer 
you should move to npf. it is the firewall supported by NetBSD and it works.

> Am 25.02.2016 um 19:40 schrieb Jukka Marin :
> 
> Dear List,
> 
> I'm setting up a new gateway machine (NetBSD 7.0).  My old gateway is based
> on NetBSD 6.0 and pf.  Can I use pf on NetBSD 7.0 or should I move to npf?
> Why?
> 
> I have found more examples and manuals for pf, and moving to npf seems like
> extra work.  With pf, I could also copy my config over with minor
> modifications (I guess).
> 
> Thanks for wisdom and opinions.
> 
>  -jm

Re: pf or npf?

2016-02-25 Thread John Nemeth 
On Feb 25,  8:40pm, Jukka Marin wrote:
} 
} I'm setting up a new gateway machine (NetBSD 7.0).  My old gateway is based
} on NetBSD 6.0 and pf.  Can I use pf on NetBSD 7.0 or should I move to npf?
} Why?

 You could certainly use pf with NetBSD 7.0.  However, I would
have to point out that the version of pf that came with NetBSD 6.0
was ancient and unmaintained.  The situation hasn't changed with
NetBSD 7.0, i.e it ships with pretty much the same code for pf that
NetBSD 6.0 did.

} I have found more examples and manuals for pf, and moving to npf seems like
} extra work.  With pf, I could also copy my config over with minor
} modifications (I guess).

 npf is relatively new and only in NetBSD (as far as I know)
so naturally there will be less information about it.  However,
keep in mind that information that you find on the 'net about pf
might be assuming a more modern version.  npf has appeared in two
major NetBSD releases now, and while still undergoing development,
should be relatively stable.  It is also designed to be much more
performant.

 You didn't ask, but I'll add that the third option is ipfilter.
It sits somewhere in the middle.  It hasn't seen a lot of maintenance
or enhancement lately, but it is still much newer then pf.  It is
also quite stable and usable.

}-- End of excerpt from Jukka Marin

pf or npf?

2016-02-25 Thread Jukka Marin 
Dear List,

I'm setting up a new gateway machine (NetBSD 7.0).  My old gateway is based
on NetBSD 6.0 and pf.  Can I use pf on NetBSD 7.0 or should I move to npf?
Why?

I have found more examples and manuals for pf, and moving to npf seems like
extra work.  With pf, I could also copy my config over with minor
modifications (I guess).

Thanks for wisdom and opinions.

  -jm