On 09.11.2004 22:28 +0100, lola wrote:
> since freebsd 5 is stable... are there any plans of migrating from
> ipfilter to pf?
> < http://www.freebsd.org/cgi/url.cgi?ports/security/pf/pkg-descr >
> afaik that would be good for getting rid of ipfw since this is only
> available in mono because of its traffic shaping capabilities and
> pf has a built in traffic shaper!?!?
> also i've heard that pf is expectetd to be "better" than ipfilter.
> what do you think?
I gave pf (and FreeBSD 5.3) a try the other day (on a net4501). While
FreeBSD 5.3 looked OK and pf showed some promise by having a clean
configuration, the almost complete lack of proxy support for some of
the most common protocols that don't play nice with NAT (most notably
FTP) was a major turn-off (or did I miss something there?). Yes, I
know, there's ftp-proxy, but I think it's heinous (come on, pumping
all that data through userland! Might be more secure and cleaner, but
impractical. Besides, filtering by user ID as suggested in
ftp-proxy's manpage didn't work for me). Furthermore, I ran into some
NAT issues with SIP - something that worked well with ipfilter
without doing anything special (just an rdr rule), but with pf I had
to either use static-port or an additional "nat" rule. I think we'd
rather move to ipfilter 4.1.3 (once it can be compiled under any
recent FreeBSD version without major Makefile modifications ;) than