On 7/18/2014 6:51 AM, Franco Fichtner wrote:
c) We never got the new syntax from OpenBSD 4.7's pf - at the time a long
discussion on the pf-mailing list flamed the new syntax saying it would cause
FreeBSD administrators too much headache. Today on the list it seems everyone
wants it - so would we rather stay on a dead branch than keep up with the main
stream?
I'd say many people are comfortable with an old state of pf (silent
majority), but that shouldn't keep us from catching up with newer
features (and of course bugfixes).
Never mistake silence for consent.
The vast majority of people don't know pf is outdated and broken on
FreeBSD because they don't know what they're missing and likely aren't
using IPv6 yet. The moment you turn on IPv6 and restart a validating
unbound, you run full-speed into pf's broken behaviour. Make an
EDNS0-enabled query for a signed zone and you'll get a fragmented UDP
packet that will never make it through unless you tell pf to allow all
fragments unconditionally. They'll simply think something is wrong with
unbound, turn off EDNS0 and/or validation, hurt peformance and/or
security in the process, and never realize their firewall is doing
literally the worst possible thing it could do.
All because over half a decade ago some folks got all butthurt over a
config file format change.
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
