There is no doubt that PF is a really good firewall, But we should noticed that there is an ipfw which is originally from FreeBSD while PF is from OpenBSD.
If there is a requirement that PF can meet but ipfw cannot, then I think it is better to improve the ipfw. But if you just like the PF style, then I think choose OpenBSD is the better solution. Actually OpenBSD is another really good operating system. Like myself, I like CentOS and ipfw, so no choice :) > -----Original Message----- > From: owner-freebsd-curr...@freebsd.org [mailto:owner-freebsd- > curr...@freebsd.org] On Behalf Of Andreas Nilsson > Sent: 21 July, 2014 19:46 > To: sth...@nethelp.no > Cc: Maxim Khitrov; Current FreeBSD; Mailinglists FreeBSD > Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? > > On Mon, Jul 21, 2014 at 8:56 AM, <sth...@nethelp.no> wrote: > > > > > > Also, the openbsd stack has some essential features missing in > > freebsd, > > > > > like mpls and md5 auth for bgp sessions. > > > > > > > > I use MD5 auth for BGP sessions every day (and have been doing so > > > > for several releases). One could definitely wish for better > > > > integration - having to specify MD5 key both in /etc/ipsec.conf > > > > and in the Quagga bgpd config is not nice. But it works. > > > > > > > As far as I know you can only send out correctly authed stuff but > > > not validate incoming. Has that changed? > > > > Have a look at tcp_signature_verify(), called from tcp_input.c. Added > > in r221023, see > > > > http://svnweb.freebsd.org/base/head/sys/netinet/tcp_input.c?view=log > > > > Steinar Haug, Nethelp consulting, sth...@nethelp.no > > > > ---------------------------------------------------------------------- > > > > Revision 221023 - (view) (download) (annotate) - [select for diffs] > > Modified Mon Apr 25 17:13:40 2011 UTC (3 years, 2 months ago) by > > attilio File length: 106717 byte(s) Diff to previous 220560 Add the > > possibility to verify MD5 hash of incoming TCP packets. > > As long as this is a costy function, even when compiled in (along with > > the option TCP_SIGNATURE), it can be disabled via the > > net.inet.tcp.signature_verify_input sysctl. > > > > Sponsored by: Sandvine Incorporated > > Reviewed by: emaste, bz > > MFC after: 2 weeks > > > > I stand corrected. Excellent news ( for me, that is) :) > > Best regards > Andeas > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current- > unsubscr...@freebsd.org" _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
