[146319] in North American Network Operators' Group
Re: Firewalls - Ease of Use and Maintenance?
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Wed Nov 9 08:24:32 2011
X-Envelope-To: <nanog@nanog.org>
Date: Wed, 09 Nov 2011 13:24:20 +0000
From: Nick Hilliard <nick@foobar.org>
To: nanog@nanog.org
In-Reply-To: <20111109122227.GA5320@gsp.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 09/11/2011 12:22, Richard Kulawiec wrote:
> You will find it very difficult to beat pf on OpenBSD for efficiency,
> features, flexibility, robustness, and security. Maintenance is very
> easy: edit a configuration file, reload, done.
There are several areas where pf falls down. One is auto-synchronisation
from primary to backup firewall (not really a pf problem, but it's
important for production firewall systems). Another is ipv6 fragments,
although this was mostly fixed in a commit on 20110329 (released in 5.0),
which unfortunately has not yet made its way to freebsd yet. A third is
openbsd's poor ethernet hardware interrupt handling. Again, this has
improved recently, but it's still lags seriously behind linux / freebsd.
Having said that, it's still my least disfavoured stateful packet filtering
system.
Nick
