Future of pf in FreeBSD ? - does it have one ?
Mark Martinec
Mark.Martinec+freebsd at ijs.si
Wed Jul 9 12:42:56 UTC 2014
On 2014-07-09 0:32, Kristian K. Nielsen wrote:
> f) IPv6 support?- it seem to be more and more challenged in the current
> version of pf in FreeBSD and I am (as well as others) introducing more
> and more IPv6 in networks.
> E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933,
> which is the bug on not handling IPv6 fragments which have been open
> since 2008 and where the workaround is necessity to leave an open hole
> in your firewall ruleset to allow all fragments. Occoring to comment in
> the bug, this have been long gone in OpenBSD.
The neglect of IPv6 in FreeBSD's pf is a real deal-breaker for us.
Besides the long-standing bugs (like: scrub reassemble tcp
breaks CRC on IPv6), the following stands out:
- last time I looked, neither PF nor IPFW could be used on a
FreeBSD kernel built WITHOUT_INET. This means that features
like ssh-guard and per-application protection on a dedicated
IPv6-only host are not available
- no support for IPv6 prefix translation,
and no stateful NAT64 support
Then, unrelated to IPv6:
- no support for DSCP (the TOS byte includes ECN bits, hard to
filter out)
- the new 'match' mechanism would be really nice to have
Mark
More information about the freebsd-pf
mailing list