[ previous ] [ next ] [ threads ]
 
 From:  lola <lola at yais dot net>
 To:  Monowall DEV <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re:[m0n0wall-dev] any plans on switching to pf?
 Date:  Tue, 09 Nov 2004 23:15:51 +0100 
hi manuel,

thx for your opinion.

i tested an installation of freebsd 5 current and pf about six month ago,
just before finding out about m0n0. it seemed to work but i'm not quite a
firewall guru like you ;-)


-- 

lola
 
   /"\             
   \ /  ASCII RIBBON CAMPAIGN
    X   AGAINST HTML MAIL
   / \  



Am 09.11.2004 22:55 Uhr schrieb "Manuel Kasper" unter <mk at neon1 dot net>:

> On 09.11.2004 22:28 +0100, lola wrote:
> 
>> since freebsd 5 is stable... are there any plans of migrating from
>> ipfilter to pf?
>> 
>> < http://www.freebsd.org/cgi/url.cgi?ports/security/pf/pkg-descr >
>> 
>> afaik that would be good for getting rid of ipfw since this is only
>> available in mono because of its traffic shaping capabilities and
>> pf has a built in traffic shaper!?!?
>> 
>> also i've heard that pf is expectetd to be "better" than ipfilter.
>> 
>> what do you think?
> 
> I gave pf (and FreeBSD 5.3) a try the other day (on a net4501). While
> FreeBSD 5.3 looked OK and pf showed some promise by having a clean
> configuration, the almost complete lack of proxy support for some of
> the most common protocols that don't play nice with NAT (most notably
> FTP) was a major turn-off (or did I miss something there?). Yes, I
> know, there's ftp-proxy, but I think it's heinous (come on, pumping
> all that data through userland! Might be more secure and cleaner, but
> impractical. Besides, filtering by user ID as suggested in
> ftp-proxy's manpage didn't work for me). Furthermore, I ran into some
> NAT issues with SIP - something that worked well with ipfilter
> without doing anything special (just an rdr rule), but with pf I had
> to either use static-port or an additional "nat" rule. I think we'd
> rather move to ipfilter 4.1.3 (once it can be compiled under any
> recent FreeBSD version without major Makefile modifications ;) than
> pf.
> 
> - Manuel
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
> 
>