Well, I don't know how you read the ipfw2 logs, the latest effective change is at: https://gitweb.dragonflybsd.org/dragonfly.git/commit/bd3c67c0d566d63cb66697206eb49208a9e0f7b9
That's "Tue, 16 Jan 2018 05:09:49 +0000". And I am still working on it, though limited by my spare time. Thanks, sephe On Tue, Feb 12, 2019 at 10:44 AM Nacho Lariguet <[email protected]> wrote: > > While researching which firewall to use I came across what may seem > outdated/misguided/whatever documentation; please, correct me when > wrong (probably the whole story) and advice (if at all) possible: > > Quoting from "Firewall options in DragonFlyBSD" @ > https://www.dragonflybsd.org/docs/handbook/Security/#index8h3 > > ... my notes > > "DragonFlyBSD inherited the IPFW firewall (versions 1 and 2) when it > forked from FreeBSD." > > "Pretty soon after though, we imported the new pf packet filter that > the OpenBSD developers created from scratch." > "It is a cleaner code base and is now the recommended solution for > firewalling DragonFly." > "Keep in mind that the PF version in DragonFly is not in sync with > OpenBSD's PF code." > "We have not yet incorporated the improvements made in PF over the > last few years, but we have some improvements of our own." > "A copy of the OpenBSD PF user's guide corresponding to the version of > PF in DragonFly can be downloaded as TXT or PDF." > > ... so: DragonFlyBSD <- openBSD PF > ... so: DragonFlyBSD current version is 4.5 released 2009-10-15 as > stated in TXT @ > https://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq45.txt > > ... but: openBSD PF current version is 5.3 released 2013-10-31 @ > https://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq53.txt (last FAQ > listed) ? > ... or: openBSD PF current version is 6.4 @ > https://www.openbsd.org/faq/pf/index.html (no version stated here) ? > > ... > https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/pf > ... > https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/pf > ... > https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/pf/pf.c > > ... but PF labeled COPYRIGHT 2002~2008 on /sys/net/pf.c > ... but PF labeled COPYRIGHT 2010~2014 on /sys/net/pfvar.c > > ... quoting: "... over the last few years ..." > ... how many years are we talking ? 2009~2019 ? 10 years (or-so) behind ? > ... really not thinking new features; just security vulnerabilities > > "IPFW is still and will remain supported for the foreseeable future; > it has some features not yet available in PF." > > ... so it is on life-support until ... PF eventually synched ? > > "If you're interested in IPFW, read ipfw(4) and ipfw(8)." > > ... OK. I am. Let's see the alternative: > > ... > https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw > ... > https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw > ... > https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw/ip_fw2.c > > ... > https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw > ... > https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw > ... > https://gitweb.dragonflybsd.org/dragonfly.git/blob/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw/ipfw2.c > > ... so /sys/net/ipfw/ip_fw2.c is 1.6.2.12 2003-04-08 ? > ... so /sbin/ipfw/ipfw2 is 1.4.2.13 2003-05-27 ? > > ... found (on 2015-03-12): Rename all elements of the port to ipfw3 > to reduce confusion ... ie: ipfw2 -> ipfw3 > > ... > https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/6a03354eaf5595cb09622704ea7d2ef2794ccffb > > ... > https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw3 > ... > https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw3 > ... > https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw3/ip_fw3.c > > ... > https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw3 > ... > https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw3 > ... > https://gitweb.dragonflybsd.org/dragonfly.git/blob/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw3/ipfw3.c > > ... found: IPFW3 labeled COPYRIGHT 2014~2018 both on > /sys/net/ipfw3/ip_fw3.c and /sbin/ipfw3/ipfw3.c > > ... so: IPFW2 (from freeBSD) imported to DragonFlyBSD keeping > (parallel/separate) development until a point into which was renamed > IPFW3 ... right ? > > ... question: why is it (now obsolete) IPFW2 still on the tree ? > what case-scenarios (15-or-so-years-old code) still > covers being 2019 ? > > ... question: documentation states IPFW (formerly IPFW2 currently > IPFW3) is somewhat on life-support until eventually synchronizing > openBSD PF current > but source activity seems to tell quite the opposite: > that PF is stalled/abandoned and IPFW3 development keep going on > am I right ? > > ... question: what firewall should be actually using on DragonFlyBSD ? > > - outdated (what seemed many-years behind) PF > advertised for its correctness/clean-code/whatever and recommended > solution by the documentation ? > - IPFW3 > (rewritten-from-scratch/SMP-friendly/improved/etc) although advised > not to by the documentation ? > - forget about using a firewall in DragonFlyBSD and use > something else elsewhere ? > > ... am I missing something ? > > ... do I have all the facts totally wrong ? -- Tomorrow Will Never Die
