Personally I don't care, because the main reason I did this was to
learn more about the kernel, but I guess some might find it useful
to take a ruleset from their OpenBSD firewalls and use it directly
under NetBSD.

And it has been asked about, so I thought "why not?":
http://mail-index.netbsd.org/tech-kern/2002/10/23/0001.html

I don't know enough about ipfilter to answer your question, but
iirc ipfilter can't pick up the state of existing TCP connections
when it starts up (pf can). Oh, and the pf code is a lot cleaner imo.

http://www.benzedrine.cx/pf-paper.pdf is worth reading to learn more.


Not relevant to your question, but it seems there is a problem with
pflog under NetBSD. I'll try to fix that if there's any interest.


//joelw


On Wed, Nov 06, 2002 at 11:15:33AM +0100, Jaromir Dolecek wrote:
> I wonder what is exactly advantage of 'pf' over 'ipf'. Perhaps you
> could summarize differencies?
> 
> Jaromir
> 
> Joel Wilsson wrote:
> >   Attached is a tar-ball that contains a patch and the new files pf
> > needs. It uses the pfil_hook feature under NetBSD, so the changes to
> > the existing code are fairly small (the only big one is breaking out
> > the ip fragmentation code to a separate function, ip_fragment).
> > 
> > I couldn't get NAT to work, but that could be my fault. Everything
> > else seems to work, but I haven't had time to test it all that much.
> > 
> > Copy it to src/, untar, apply the patch, and build world.
> > Please let me know if it works or not.
> 
> 
> -- 
> Jaromir Dolecek <jdolecek@NetBSD.org>            http://www.NetBSD.org/
> -=- We should be mindful of the potential goal, but as the tantric    -=-
> -=- Buddhist masters say, ``You may notice during meditation that you -=-
> -=- sometimes levitate or glow.   Do not let this distract you.''     -=-