New PF on FreeBSD snapshot available

← Back to Stories (view on slashdot.org)

New PF on FreeBSD snapshot available

Posted by michael on Thursday April 24, 2003 @04:27AM from the latest-and-greatest dept.

Dan writes "Pyun YongHyeon and Max Laier announce a new release of PF for FreeBSD, which is available for download. Since the first release of PF at the end of March 2003, PF has undergone several major updates such as -current and ALTQ support. They have also removed bugs in IPv6, module handling and table support code and believe the current version 0.61 is very close to production use."

4 of 58 comments (clear)

Min score:

Reason:

Sort:

Re:For those not keeping score... by hununu · 2003-04-24 10:25 · Score: 3, Interesting

In order to get pf's nice features into ipfilter, you would have brain-wash Darren Reed I guess. :-)
pf has a lot of interesting things like alt-q integration (yes, not implemented in -current yet but there are working patches at altq's site), tables, etc (you mentioned them).

And yes, more is better. A lot of people (including me) use on some servers ipfw and ipfilter/ipnat at the same time because it's useful and you can take the best of each "world". pf introduction will give users even more options, nothing more, nothing less.
Re:For those not keeping score... by R.Caley · 2003-04-24 21:39 · Score: 2, Interesting

However, if you want a serious firewall, you should already be going with OpenBSD anyway :)
Actually, Theo's `licencing restrictions are for the lower orders not me' squabble with Darren Reed happened just when I was getting ready to put ina firewall. OBSD was the planned system, but theere is no way I was going to run a brand new piece of software in such a role, and I'm not sure I think PF is long enough in the tooth to be comfortable yet. So my firewall and the two I am setting up for work are FBSD/ipfw.

--
_O_ .|< The named which can be named is not the true named
Re:Now we have to relearn FreeBSD networking?? by Ded+Bob · 2003-04-25 00:45 · Score: 2, Interesting

The reason why :q! command in vi still works is because it was standardized in UNIX a long time ago and never changed.

Having Emacs (yuck! :)) on your computer along with vi does not change :q!. This is the same.

For Linux, it was closer to going from vi to ee to emacs for the base editor.
Re:For those not keeping score... by Whyzzi · 2003-04-25 10:08 · Score: 3, Interesting

When pf was in 3.0 -current, it wasn't ready for prime time. 3.1 -stable was alot better, lacked a few features, but way better. I (could be wrong , but I) am of the belief that they've added (not fixed) features since 3.2, and it is awesome.

I'm using a 3.3 snapshot from March @ my small organization's 60pc firewall -- one as a bridge protecting my w2k server, the other as 3nic internet/nat+squid/dmz firewall -- both machines are utilizing altq to aggregate traffic nicely, on 64meg 166Mhz pentium classics no less. Squid tends to make my *uptime* pop over 1.00 once and awhile, but before I added squid the machine never broke a sweat.

I played with linux's ipchains, and couldn't get used to the syntax ipchains required. I've used OpenBSD since 2.8, first with ipfilter (forced me to learn global string searching in vi), and gladly moved to pf. The macros and variable expansion simplify the configuration process considerably (my pf.conf is 217 lines long - macros, tcp options, altq, redirects and finally filters - all with adequate spacing and comments), and resetting the rules (likely other firewalling tools have this too) without losing state.

Please, don't hesitate to order 3.3 when it is released, or at least check out pf in either FreeBSD or OpenBSD.

--
"BSD is about people pissing each other.." (Moid Vallat)