[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Vincent Fleuranceau <vincent at bikost dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] any plans on switching to pf?
 Date:  Wed, 10 Nov 2004 04:51:15 -0500
On Wed, 10 Nov 2004 10:38:37 +0100, Vincent Fleuranceau
<vincent at bikost dot com> wrote:
> -------- Original Message --------
> I've not used recent ftp-proxy version, but if it was just an horrible
> thing, I guess the OpenBSD or PF developers would have enhanced it for a
> long time now...
> Any feedback from the pfsense team?

Part of an email I sent to Manuel: 

Scott is running into other issues as well working on pfSense, like on
FreeBSD you can't use a filtering bridge w/pf because of limitations
in pfil.  In OpenBSD, everything is native hooks to pf, so it doesn't
have that issue.  Scott says he knows how to fix that though, and I
guess it isn't going to be extremely difficult. 

Scott also thinks he'll be able to work around the other issues Manuel
described, though it's far too early to tell.  NAT breaking certain
protocols could definitely be an issue.

I believe Manuel's comments on ftp-proxy were more from a performance
and design perspective (going through userland rather than staying in
kernel) than anything from a functionality standpoint.  The OpenBSD
team tends to do things more securely over doing them faster, so that
might be the reason for that design choice.  But I'm just speculating,
when it comes to kernel stuff, or any deep programming for that
matter, I'm very clue-deficient.  :)