On Tue, 11 Mar 2008, Igor Zinovik wrote:
> I decided to switch from ipf to pf at work. So i try
to explain to
> coadmin why pf is better than ipf. My main arguments
for switching from
> ipf are that pf is still maintained and feature rich.
Main disadvantage
> of ipf is that it is hard to maintain configuration
file (since it does
> not support macros we created shell script to obtain
macro support).
These arguments are not true.
IPF is maintained. FreeBSD's official handbook says
"IPFILTER is actively
being supported and maintained, with updated versions being
released
regularly." The FAQ was last updated in 07/05/07 (July
2007 I assume). It
looks the latest release of IP Filter (4.1.28) was released
on Oct.
17, 2007.
IPF is feature rich. Some examples: tuning during run-time;
save state
over reboots; active and testing filter which can be
swapped; can generate
C code for filter rules hard-coded in custom kernel; flush
specific TCP
states (at run-time); flush idle states that are a certain
age (at
run-time); provides tools to generate simple ruleset and
testing of
rulesets without enabling on real firewall (and using
various packet input
formats); able to call kernel functions per a rule;
authentication (such
as password) for rules; lookup tables; packet per second
matching; few
built in proxies; some load balancing; checksum
verifications; and more.
IPF does support macros. It has always supported nested
variable
substitution. (Sadly this is not documented.)
Jeremy C. Reed
p.s. I primarily use PF because of its great documentation
-- in fact, I
published an edited, indexed, cross-referenced, and improved
version of
some PF docs in book format.
_______________________________________________
freebsd-pf freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
