Re: Removing PF

To: MLH <mlh%goathill.org@localhost>, tech-kern%netbsd.org@localhost
Subject: Re: Removing PF
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Tue, 2 Apr 2019 21:29:37 +0200

Le 02/04/2019 à 20:46, MLH a écrit :

I continue to use pf and not npf because :

1) I couldn't get std rulesets to seem to work (been a while though)
2) no port redirection
3) dynamic ruleset use didn't appear to be adequate
4) greylisting (not just email) for custom stuff that I can't see
    how to support in npf.
5) Needs far more documentation and help than I have seen.

I would like to move to npf as some future features look nice (SYN
floods, DoS attacks, etc). However, in addition to std rulesets,
etc, I use log followers to block attacks. While not the main
security, they really help hold down traffic, etc. and I'm not
anywhere near willing to give them up. I tried using blacklistd
but never could get it to work (also been a while).


At least people answer to the question that was asked, so thanks for that
already.

However, I must say I'm still a bit confused by this answer (and the others
I've seen). Do you understand that PF is a clear security risk for your
system? Or, you obviously understand, but don't care much? Sure, PF has
features NPF doesn't have; but a firewall is supposed to stop the fire,
not create the conditions for it to spread. And sure, each software has bugs,
but you don't need to have a nobel prize to understand that 11yo unmaintained
software has much more bugs than its up-to-date version, in the case of PF
it is obviously proven.

In essence, if it's that you don't care, then indeed keeping PF may not be a
real problem for us, except looking a bit irresponsible. I mean, we don't
care either if you give your credit card number to every stranger that calls
you on the phone... some responsibility is on the user's side. However, I do
believe that our responsibility is still to prevent confusion, even when it
implies removing some features. Yes, it is sad if you can't use ftp-proxy on
NPF for now, yes NPF's syntax is not the same as PF's, and so on. But NPF
equally has many advanced benefits, that you don't get with PF. If you really
want to use PF, I would recommend that you switch to another OS, for your own
safety. PF has no future in NetBSD.

It's been one decade of this, at some point we need to cut the crap.

Follow-Ups:
- Re: Removing PF
  - From: Mouse

References:
- Re: Removing PF
  - From: MLH

Prev by Date: Re: Removing PF
Next by Date: Re: Removing PF
Previous by Thread: Re: Removing PF
Next by Thread: Re: Removing PF
Indexes:

Home | Main Index | Thread Index | Old Index