Re: [m0n0wall-dev] any plans on switching to pf?

From:	Manuel Kasper <mk at neon1 dot net>
To:	lola <lola at yais dot net>
Cc:	m0n0wall dash dev at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall-dev] any plans on switching to pf?
Date:	Tue, 09 Nov 2004 22:55:59 +0100

On 09.11.2004 22:28 +0100, lola wrote:

> since freebsd 5 is stable... are there any plans of migrating from
> ipfilter to pf?
> 
> < http://www.freebsd.org/cgi/url.cgi?ports/security/pf/pkg-descr >
> 
> afaik that would be good for getting rid of ipfw since this is only
> available in mono because of its traffic shaping capabilities and
> pf has a built in traffic shaper!?!?
> 
> also i've heard that pf is expectetd to be "better" than ipfilter.
> 
> what do you think?

I gave pf (and FreeBSD 5.3) a try the other day (on a net4501). While
FreeBSD 5.3 looked OK and pf showed some promise by having a clean
configuration, the almost complete lack of proxy support for some of
the most common protocols that don't play nice with NAT (most notably
FTP) was a major turn-off (or did I miss something there?). Yes, I
know, there's ftp-proxy, but I think it's heinous (come on, pumping
all that data through userland! Might be more secure and cleaner, but
impractical. Besides, filtering by user ID as suggested in
ftp-proxy's manpage didn't work for me). Furthermore, I ran into some
NAT issues with SIP - something that worked well with ipfilter
without doing anything special (just an rdr rule), but with pf I had
to either use static-port or an additional "nat" rule. I think we'd
rather move to ipfilter 4.1.3 (once it can be compiled under any
recent FreeBSD version without major Makefile modifications ;) than
pf.

- Manuel