[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] pf & ALTQ in m0n0wall?
 Date:  Thu, 24 Feb 2005 01:41:28 -0500
On Thu, 24 Feb 2005 00:19:26 -0500, Jesse Guardiani <jesse at wingnet dot net> wrote:
> Hello,
> 
> I know I'm getting ahead of myself a bit, but
> are pf + ALTQ on the roadmap for m0n0wall instead
> of ipfw + ipnat + ipfilter now that we have a
> FreeBSD 5.3 based m0n0wall Beta?
> 

Manuel has mentioned this in the past. 
http://m0n0.ch/wall/list-dev/?action=show_msg&actionargs%5B%5D=5&actionargs%5B%5D=35
http://m0n0.ch/wall/list/?action=show_msg&actionargs%5B%5D=5&actionargs%5B%5D=86

Lack of speed isn't true anymore, that post was September 2003 when
FreeBSD's pf port was very young.


> I only ask because:
> 
> a.) People have mentioned at various times in the
>     past that pf might be the solution to a
>     number of the current quirks or problems
>     in m0n0wall.
> 

Disclaimer:  though I'm the co-founder of pfSense, I haven't really
spent a lot of time on it.  I haven't been involved with the
development at all (I'm not much of a programmer), but here's what
I've gathered from hanging out in the IRC channel.

pf comes with its own set of quirks though.  It would help solve some
issues, like load balancing, stateful failover, host/service groups,
and others I'm sure I'm missing.  I believe IPFilter 4 also solves
some of the same problems, or maybe all of them.

I'd rather see ALTQ with ipfw first (possible and stable if you
backport code from FreeBSD 6 for ipfw).  pfSense actually uses ipfw
for ALTQ, because it's a whole lot easier to keep your shaping rules
separate from your firewall rules.


> b.) I'm reading the pf man pages and it does indeed
>     look like a much more unified, complete, and
>     powerful system.
> 
> However, I realize that a ton of work would be
> necessary to make the switch, learn to work around
> any quirks in pf (assuming that there aren't any
> show stoppers), then eventually get back to the
> level of reliability we have with
> ipfw + ipnat + ipfilter. Frankly, it seems that
> either a separate project or at least a version
> fork (kind of like the difference between FreeBSD
> 4.x and 5.x) would be necessary.
> 

Most of the work is done already.  Manuel could import pfSense code
pretty quickly, if he so desired.  At this point, if I were Manuel I'd
sit back for a couple months and let that code mature.  We have a
couple experienced pf users as new developers now, and they're
cleaning up a lot of stuff.

-Chris