Re: [m0n0wall-dev] any plans on switching to pf?

From:	Vincent Fleuranceau <vincent at bikost dot com>
To:	m0n0wall dash dev at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall-dev] any plans on switching to pf?
Date:	Wed, 10 Nov 2004 10:38:37 +0100

-------- Original Message --------

> I gave pf (and FreeBSD 5.3) a try the other day (on a net4501). While
> FreeBSD 5.3 looked OK and pf showed some promise by having a clean
> configuration, the almost complete lack of proxy support for some of
> the most common protocols that don't play nice with NAT (most notably
> FTP) was a major turn-off (or did I miss something there?). Yes, I
> know, there's ftp-proxy, but I think it's heinous (come on, pumping
> all that data through userland! Might be more secure and cleaner, but
> impractical. Besides, filtering by user ID as suggested in
> ftp-proxy's manpage didn't work for me). Furthermore, I ran into some
> NAT issues with SIP - something that worked well with ipfilter
> without doing anything special (just an rdr rule), but with pf I had
> to either use static-port or an additional "nat" rule. I think we'd
> rather move to ipfilter 4.1.3 (once it can be compiled under any
> recent FreeBSD version without major Makefile modifications ;) than
> pf.
> 

I've not used recent ftp-proxy version, but if it was just an horrible 
thing, I guess the OpenBSD or PF developers would have enhanced it for a 
long time now...

Any feedback from the pfsense team?

-- Vincent