Subject: Re: pf for NetBSD
To: Michael Graff <>
From: Greg A. Woods <>
List: tech-net
Date: 11/08/2002 23:31:14
[ On , November 8, 2002 at 16:51:45 (-0800), Michael Graff wrote: ]
> Subject: Re: pf for NetBSD
> I'm not thrilled with ipf -- I find it cumbersome at least, and
> fickle.

That's the nature of the beast -- you're dealing with _very_ complex
issues when you're trying to implement policy by examining network
traffic at the packet level.  I've not yet seen any other packet
filtering system that's any less cumbersome or fickle if it provides a
decent enough level of flexibility.  I've looked at OpenBSD's 'pf', at
the packet filtering in SCO Unix and UnixWare, at 'ipfw', and of course
at various routers (Cisco IOS, RiverStone, Juniper, etc.).  UnixWare has
some nice features in its ruleset language but generally I like 'ipf'

								Greg A. Woods

+1 416 218-0098;            <>;           <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>