Firewall Options

Koornstra, Reinoud koornstra at hp.com
Mon Mar 4 22:55:20 UTC 2013 

Hi Mark,

Why not consider NPF from NetBSD where SMP friendly firewalling is a given.
I do understand it'll cost lots of work too, but it might be more easy to making pf SMP friendly.
Then again, making software MPsafe and having it perform very well with SMP are two different things.
Considering NPF has been taking this into account from day one, performance wise it might be best to consider NPF.
Please note that I didn't say anything about the quality or functionality about pf and npf.
NPF was designed with performance in mind.
Also I did not say anything about the memory usage and their efficiency in that field.
I feel I need to point these things about before I unintentionally offend some people.
Thanks,

Reinoud.

-----Original Message-----
From: owner-freebsd-security at freebsd.org [mailto:owner-freebsd-security at freebsd.org] On Behalf Of Mark Felder
Sent: Monday, March 04, 2013 6:13 AM
To: freebsd-security at freebsd.org; Robert Simmons
Subject: Re: Firewall Options

On Sun, 03 Mar 2013 17:12:18 -0600, Robert Simmons <rsimmons0 at gmail.com>
wrote:

> Are there plans to update ipfilter or pf to current versions?
> ipfilter is currently at 5.1.2, but the version in FreeBSD is 4.1.28 
> from 2007.
>
> On the pf side, the version in FreeBSD is 4.5, but the current version 
> I would understand to be 5.2.  The version in FreeBSD is pre-4.7, so 
> much of the syntax in the current documentation is different and does 
> not work in this older version.
>
> Is IPFW the only maintained firewall option, or is there a way to 
> build either of the above as ports?
>

It takes a *lot* of work to re-port packet filters to a different BSD kernel and ensure everything works perfectly. We recently received a nice pf version bump with the release of 9.0 and it doesn't seem likely we'll see another soon. There is an SMP-friendly fork of pf in progress for FreeBSD. It may very well turn out that FreeBSD's pf completely diverges  from OpenBSD's permanently as OpenBSD has no interest in an SMP-friendly pf.

http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html

As for IPFW -- I honestly don't know. I can't remember the last time there was a major update of IPFW for FreeBSD.
_______________________________________________
freebsd-security at freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list