[ previous ] [ next ] [ threads ]
 From:  Vincent Fleuranceau <vincent at bikost dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] any plans on switching to pf?
 Date:  Wed, 10 Nov 2004 10:38:37 +0100
-------- Original Message --------

> I gave pf (and FreeBSD 5.3) a try the other day (on a net4501). While
> FreeBSD 5.3 looked OK and pf showed some promise by having a clean
> configuration, the almost complete lack of proxy support for some of
> the most common protocols that don't play nice with NAT (most notably
> FTP) was a major turn-off (or did I miss something there?). Yes, I
> know, there's ftp-proxy, but I think it's heinous (come on, pumping
> all that data through userland! Might be more secure and cleaner, but
> impractical. Besides, filtering by user ID as suggested in
> ftp-proxy's manpage didn't work for me). Furthermore, I ran into some
> NAT issues with SIP - something that worked well with ipfilter
> without doing anything special (just an rdr rule), but with pf I had
> to either use static-port or an additional "nat" rule. I think we'd
> rather move to ipfilter 4.1.3 (once it can be compiled under any
> recent FreeBSD version without major Makefile modifications ;) than
> pf.

I've not used recent ftp-proxy version, but if it was just an horrible 
thing, I guess the OpenBSD or PF developers would have enhanced it for a 
long time now...

Any feedback from the pfsense team?

-- Vincent