[OpenIndiana-discuss] Community interest in illumos PF port?
Hello, Some of us love the Packet Filter (PF) from OpenBSD. It would be awesome to have this available on illumos as alternative to ipf. We (sjorge and xenol) played around with the idea of a kickstarter. The budget required for that would probably be much more than what we can collect. But not trying is not a winning move. Is there any other interest in this from anyone in the illumos community? Cheers, Adam and Jorge signature.asc Description: Message signed with OpenPGP using GPGMail ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Community interest in illumos PF port?
I am assuming that you already know that Packet Filter (PF) is included with Solaris 11.3, and although ipfilter is still there, it is being depreciated. Jerry On 12/05/16 16:01, Adam Števko wrote: Hello, Some of us love the Packet Filter (PF) from OpenBSD. It would be awesome to have this available on illumos as alternative to ipf. We (sjorge and xenol) played around with the idea of a kickstarter. The budget required for that would probably be much more than what we can collect. But not trying is not a winning move. Is there any other interest in this from anyone in the illumos community? Cheers, Adam and Jorge ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Community interest in illumos PF port?
On 05/12/16 11:18 PM, Jerry Kemp wrote: I am assuming that you already know that Packet Filter (PF) is included with Solaris 11.3, and although ipfilter is still there, it is being depreciated. Everybody knows is but just to say for others, Orcl S11+ , being Opensolaris fork, is proprietary for OS/Net (kernel) parts, so code is not available and even it is, it's depending on closed source kernel. I would also like to see an announcement about ipfilter deprication in S11 yet. They also do ipfilter configuring in somewhat different way and don't expect it to remove it for S11. But let us see what's for illumos, there's no kernel source over the fence. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Community interest in illumos PF port?
> Am 12.05.2016 um 23:01 schrieb Adam Števko : > > Is there any other interest in this from anyone in the illumos community? I am very interested in this. Important for me is that the code will be public available on github, gitlab, gitwhatever, so that contribution is easy to manage. When do you plan to start your kickstarter campaign? - Stefan ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Community interest in illumos PF port?
I'm very interested in this - we currently have to run PF firewalls on OpenBSD or FreeBSD boxes John Ireland On 13/05/16 15:07, qutic development wrote: Am 12.05.2016 um 23:01 schrieb Adam Števko : Is there any other interest in this from anyone in the illumos community? I am very interested in this. Important for me is that the code will be public available on github, gitlab, gitwhatever, so that contribution is easy to manage. When do you plan to start your kickstarter campaign? - Stefan ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss -- John Ireland - Computer Systems Architect MRC Institute of Genitics and Molecular Medicine University of Edinburgh, EH4 2XU Phone: +44 (0)131 651 8640 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Community interest in illumos PF port?
On 05/12/16 10:50 PM, Nikola M wrote: I would also like to see an announcement about ipfilter deprication in S11 yet. http://www.oracle.com/technetwork/systems/end-of-notices/eonsolaris11-392732.html "The IPFilter firewall will not be available in a future release. In future releases of Oracle Solaris OS, the OpenBSD Packet Filter (PF) will be available as the firewall. PF will be available in the pkg:/network/firewall package. If you upgrade your Oracle Solaris 11.x OS to newer versions, the upgrade process is facilitated by the ipf2pf (pkg:/network/ipf2pf) package. This package installs the tools that will assist you in the migration of IPFilter configuration to PF. Note: Manual intervention will be required to ensure PF rules implement the desired network policy." -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Community interest in illumos PF port?
On 05/13/16 06:14 PM, Alan Coopersmith wrote: On 05/12/16 10:50 PM, Nikola M wrote: I would also like to see an announcement about ipfilter deprication in S11 yet. http://www.oracle.com/technetwork/systems/end-of-notices/eonsolaris11-392732.html "The IPFilter firewall will not be available in a future release. In future releases of Oracle Solaris OS, the OpenBSD Packet Filter (PF) will be available as the firewall. PF will be available in the pkg:/network/firewall package. If you upgrade your Oracle Solaris 11.x OS to newer versions, the upgrade process is facilitated by the ipf2pf (pkg:/network/ipf2pf) package. This package installs the tools that will assist you in the migration of IPFilter configuration to PF. Note: Manual intervention will be required to ensure PF rules implement the desired network policy." Thanks much Alanc. Was looking for something like that page. Does that mean that might happen inside 11.x as i see it mentions , so inside S11 lifetime in one of the updates. As interesting as it is, it would surely need a separate project at illumos and see no direct connection with illumos implementing it except, it is nice to have it. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Community interest in illumos PF port?
On 05/12/16 11:01 PM, Adam Števko wrote: Hello, Some of us love the Packet Filter (PF) from OpenBSD. It would be awesome to have this available on illumos as alternative to ipf. We (sjorge and xenol) played around with the idea of a kickstarter. The budget required for that would probably be much more than what we can collect. But not trying is not a winning move. Is there any other interest in this from anyone in the illumos community? That would need for it to be implemented also inside zones and to be drop-in replacement for ipfilter. ipfilter might stay there maybe as an alternative if someone wants to use it still , with something similar like "firewall" package that points to new default. One thing needed would be an Openindiana funds account (possibly managed by Entic.net to avoid any costs for it or something) and at least one funding officer that would make a list about spendings and at least 2 persons in spending decision board. Question of having an account somewhere, anywhere for Openindiana was pulled no so long ago, too, when several people asked weither OI has a way of contributing money in general for OI needs and funding development, e.g. contributing also with money and not only with testing, using, advocacy, building and coding. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Community interest in illumos PF port?
On 05/13/16 06:39 PM, Nikola M wrote: On 05/12/16 11:01 PM, Adam Števko wrote: Hello, Some of us love the Packet Filter (PF) from OpenBSD. It would be awesome to have this available on illumos as alternative to ipf. We (sjorge and xenol) played around with the idea of a kickstarter. The budget required for that would probably be much more than what we can collect. But not trying is not a winning move. Is there any other interest in this from anyone in the illumos community? That would need for it to be implemented also inside zones and to be drop-in replacement for ipfilter. ipfilter might stay there maybe as an alternative if someone wants to use it still , with something similar like "firewall" package that points to new default. One thing needed would be an Openindiana funds account (possibly managed by Entic.net to I am not sure why I repeatedly forget that OI's main sponsor for hosting and build machines and everything for all these years is Evercity.co.uk , but I am very glad i can fix this error of mine. Thanks Evercity! avoid any costs for it or something) and at least one funding officer that would make a list about spendings and at least 2 persons in spending decision board. Question of having an account somewhere, anywhere for Openindiana was pulled no so long ago, too, when several people asked weither OI has a way of contributing money in general for OI needs and funding development, e.g. contributing also with money and not only with testing, using, advocacy, building and coding. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Community interest in illumos PF port?
On 05/13/16 06:42 PM, Nikola M wrote: everything for all these years is Evercity.co.uk , but I am very glad i can fix this error of mine. Thanks Evercity! everycity.co.uk huh! ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Community interest in illumos PF port?
On 05/13/16 09:32 AM, Nikola M wrote: On 05/13/16 06:14 PM, Alan Coopersmith wrote: On 05/12/16 10:50 PM, Nikola M wrote: I would also like to see an announcement about ipfilter deprication in S11 yet. http://www.oracle.com/technetwork/systems/end-of-notices/eonsolaris11-392732.html "The IPFilter firewall will not be available in a future release. In future releases of Oracle Solaris OS, the OpenBSD Packet Filter (PF) will be available as the firewall. PF will be available in the pkg:/network/firewall package. If you upgrade your Oracle Solaris 11.x OS to newer versions, the upgrade process is facilitated by the ipf2pf (pkg:/network/ipf2pf) package. This package installs the tools that will assist you in the migration of IPFilter configuration to PF. Note: Manual intervention will be required to ensure PF rules implement the desired network policy." Thanks much Alanc. Was looking for something like that page. Does that mean that might happen inside 11.x as i see it mentions , so inside S11 lifetime in one of the updates. As interesting as it is, it would surely need a separate project at illumos and see no direct connection with illumos implementing it except, it is nice to have it. The page doesn't specify exact releases to leave our options open, but the current plan is to have both IPfilter & PF in 11.x releases for a transition period, and then drop IPfilter in 12.0. As with all software plans, they're subject to change as we develop the code. -alan- ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Community interest in illumos PF port?
On 05/13/16 06:57 PM, Alan Coopersmith wrote: On 05/13/16 09:32 AM, Nikola M wrote: On 05/13/16 06:14 PM, Alan Coopersmith wrote: Note: Manual intervention will be required to ensure PF rules implement the desired network policy." Thanks much Alanc. Was looking for something like that page. Does that mean that might happen inside 11.x as i see it mentions , so inside S11 lifetime in one of the updates. As interesting as it is, it would surely need a separate project at illumos and see no direct connection with illumos implementing it except, it is nice to have it. The page doesn't specify exact releases to leave our options open, but the current plan is to have both IPfilter & PF in 11.x releases for a transition period, and then drop IPfilter in 12.0. As with all software plans, they're subject to change as we develop the code. That's what I was thinking by looking at that page also. Thanks Alanc! ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Community interest in illumos PF port?
Hello, We promised to send a reply once we gathered some data, so here it is. From what alanc told us Oracle spent well over 2 engineer years working on their port. This would require high amount of money for a successfull crowdsourcing campaign. 27 people including us (Adam and Jorge) responded that we would like to see pf ported to illumos. However, all of us were individuals without a backing company to hack with some serious amount of funds. Based on this fact, we conclude that the crowdsourcing campaign would fail. Regards Adam and Jorge > On May 13, 2016, at 7:03 PM, Nikola M wrote: > > On 05/13/16 06:57 PM, Alan Coopersmith wrote: >> On 05/13/16 09:32 AM, Nikola M wrote: >>> On 05/13/16 06:14 PM, Alan Coopersmith wrote: Note: Manual intervention will be required to ensure PF rules implement the desired network policy." >>> >>> Thanks much Alanc. Was looking for something like that page. >>> >>> Does that mean that might happen inside 11.x as i see it mentions , so >>> inside >>> S11 lifetime in one of the updates. >>> >>> As interesting as it is, it would surely need a separate project at illumos >>> and >>> see no direct connection with illumos implementing it except, it is nice to >>> have >>> it. >> >> The page doesn't specify exact releases to leave our options open, but the >> current plan is to have both IPfilter & PF in 11.x releases for a transition >> period, and then drop IPfilter in 12.0. As with all software plans, they're >> subject to change as we develop the code. > > That's what I was thinking by looking at that page also. > Thanks Alanc! > > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss signature.asc Description: Message signed with OpenPGP using GPGMail ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
