Hi,
I recently configured a firewall using ipfw. While I was reasonably happy with the IPv4 and IPv6 integration, I did encounter 3 serious bugs in the IPv6 handling of ipfw (IPv6 fragment reassembly fails; IPv6 over loopback interface is incorrectly reported as if it would use another interface; outgoing ICMPv6 replies are matched as incoming traffic). Nothing that can be circumvented by some rules, but time-consuming nonetheless.
I was wondering if it would be worthwhile to move to PF (I read that PF and IPF are similar, but PF has more active development).
I have currently 100 IPFW rules. If you have a similar sized PF setup (small office-size) with and are actively using IPv6, could you comment on how many missing features (or bugs) you encountered with PF? Are all IPv4 features also present for IPv6 in PF?
I recently configured a firewall using ipfw. While I was reasonably happy with the IPv4 and IPv6 integration, I did encounter 3 serious bugs in the IPv6 handling of ipfw (IPv6 fragment reassembly fails; IPv6 over loopback interface is incorrectly reported as if it would use another interface; outgoing ICMPv6 replies are matched as incoming traffic). Nothing that can be circumvented by some rules, but time-consuming nonetheless.
I was wondering if it would be worthwhile to move to PF (I read that PF and IPF are similar, but PF has more active development).
I have currently 100 IPFW rules. If you have a similar sized PF setup (small office-size) with and are actively using IPv6, could you comment on how many missing features (or bugs) you encountered with PF? Are all IPv4 features also present for IPv6 in PF?