[ previous ] [ next ] [ threads ]
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: pf & ALTQ in m0n0wall?
 Date:  Thu, 24 Feb 2005 10:11:47 -0500
Chris Buechler wrote:

> On Thu, 24 Feb 2005 00:19:26 -0500, Jesse Guardiani <jesse at wingnet dot net>
> wrote:
>> Hello,
>> I know I'm getting ahead of myself a bit, but
>> are pf + ALTQ on the roadmap for m0n0wall instead
>> of ipfw + ipnat + ipfilter now that we have a
>> FreeBSD 5.3 based m0n0wall Beta?
> Manuel has mentioned this in the past.
> http://m0n0.ch/wall/list-dev/?action=show_msg&actionargs%5B%5D=5&actionargs%5B%5D=35
> http://m0n0.ch/wall/list/?action=show_msg&actionargs%5B%5D=5&actionargs%5B%5D=86
> Lack of speed isn't true anymore, that post was September 2003 when
> FreeBSD's pf port was very young.
>> I only ask because:
>> a.) People have mentioned at various times in the
>>     past that pf might be the solution to a
>>     number of the current quirks or problems
>>     in m0n0wall.
> Disclaimer:  though I'm the co-founder of pfSense, I haven't really
> spent a lot of time on it.  I haven't been involved with the
> development at all (I'm not much of a programmer), but here's what
> I've gathered from hanging out in the IRC channel.
> pf comes with its own set of quirks though.

That's part of what I'm getting at with this post. I'm sure that pf
solves some of the problems encountered with ipfw + ipnat + ipfilter,
but does it do so without major regressions? And if it does introduce
regressions, are the number and severity of regressions less than those
problems encoutered with the current system?

Could you elaborate (or get one of your pfSense programmers to elaborate)
on some of pf's quirks?

Really, I'm looking at it like this:

1.) Are the quirks programming issues, or FILTERING issues? In other
    words, do they require a different way of doing things (which is
    perfectly acceptable, IMO), or do they ultimately keep you from
    doing some of the things you want/need to do?

2.) In general, is pf *better* than the current system, or is it lacking,
    and why?

I could answer these questions myself after 2 or 3 months of tinkering,
but I figure the PfSense folks and some of the m0n0wall folks have probably
already been there and done that and might be able to save me some time.

> It would help solve some 
> issues, like load balancing, stateful failover, host/service groups,
> and others I'm sure I'm missing.  I believe IPFilter 4 also solves
> some of the same problems, or maybe all of them.
> I'd rather see ALTQ with ipfw first (possible and stable if you
> backport code from FreeBSD 6 for ipfw).  pfSense actually uses ipfw
> for ALTQ, because it's a whole lot easier to keep your shaping rules
> separate from your firewall rules.

Can you elaborate on this? Why use ALTQ with ipfw? Can't pf itself do
the same things without ipfw, and with greater power and flexibility?
Is this choice merely to ease migration from a system integration

Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)