Upgrading FreeBSD to use the NEW pf syntax.
Fleuriot Damien
ml at my.gd
Thu Nov 29 11:04:21 UTC 2012
On Nov 20, 2012, at 7:46 AM, Odhiambo Washington <odhiambo at gmail.com> wrote:
> On Tue, Nov 20, 2012 at 5:23 AM, Paul Webster <paul.g.webster at googlemail.com
>> wrote:
>
>> Good day all,
>>
>> I am aware this is a much discussed subject since the upgrade of PF, I
>> believe the final decision was that to many users are used to the old
>> style pf and an upgrade to the new syntax would cause to much confusion.
>>
>> There was a recent debate on ##freebsd about this issue and I was inclined
>> to mail in and get your opinions; basically it boiled down to the majority
>> of users wanting either:
>>
>> 1) To move to the newer pf and just add to releases notes what had
>> happened,
>> and
>> 2) my own personal opinion: creating 'pf2-*' as a kernel option tree,
>> basically using the newer pf syntax and allowing users to choose.
>>
>> I would be interested to know the feedback from you guys as to be honest
>> there seems to be quite a few users who actually DO want the new style
>> format and functionality that comes with.
>>
>> I Attached the log of the conversation just for reference.
>>
>>
> It's been difficult enough to maintain PF on FreeBSD because of the time
> needed to be invested in the FreeBSD port.
> This situation remains to date, from what I understand. I guess someone can
> look at how many bugs/feature requests still remain open for PF on FreeBSD.
>
> I therefore feel that whoever wants to run PF should use a dedicated
> OpenBSD box as a firewall/whatever they use PF for.
> There is really no point trying to make FreeBSD be OpenBSD when it comes to
> such requirements. Look at the advantages of "separation of power" - give
> to OpenBSD the fireallpower and FreeBSD the serverpower.
>
> In keeping with the K.I.S.S principle, please let anyone needing new PF
> syntax just use OpenBSD.
>
I for one can't agree with this line of thinking.
The *only* reason we use fbsd at work is as firewalls, which sometimes also act as load balancers through the use of either relayd, nginx, and/or haproxy.
The "real" servers themselves run debian and are much easier and convenient to upgrade.
Following your logic, we'd ditch freebsd entirely, in my case ; way to erode the userbase.
More information about the freebsd-pf
mailing list