On Sat, Feb 12, 2005 at 07:43:05PM +0100, Michel Talon wrote: > Third it gives the impression of un unmaintained and crappy codebase, and > this is bad. Let us look at the 3 firewall packages in FreeBSD-5.3. Only > one of them has been fine grained locked, i.e. pf. At the same time pf > is coupled with altq which is notoriously the best traffic shaping utility > available in FreeBSD. (a) There is ALTQ support for IPFW2 in FreeBSD. (b) Once IPFW(2) is untangled from main network code and cleanly isolated and module loadable, I have to strong reason to remove it. (c) Noone in DF land actively maintains ipf. (d) PF has to synced with OpenBSD 3.6. (e) The interaction of firewalls and a multi-threaded CPU-bound network stack has not been evaluated yet. This is much more involved and difficult work than "fine grained locking", which can be done somewhat mechanical. Just to throw some actual facts into this discussion. Until someone wants to contribute code for (a) - (e), I'd like to let this thread die. Joerg