Slashdot Mirror

← Back to Stories (view on slashdot.org)

Custom OpenBSD 3.0 with IPFilter From Darren Reed

Posted by timothy on from the isos-to-follow dept.

rjk191 writes: "Darren Reed, the author of IPFilter, has created his own release of OpenBSD which puts IPFilter back in. IPFilter was removed from OpenBSD 3.0 by the OpenBSD team due to license issues. See his newsgroup posting that announces it here." Here's the whole thread for some more information.

2 of 265 comments (clear)

  1. IPFilter: Any advantages over pf? by Frater+219 · · Score: 5, Interesting

    I'm looking to put together a new organizational firewall soon, and am in the process of selling my boss on the idea of doing it on OpenBSD with pf. (His original preference had been to implement it on our Cisco routers, which strikes me as a loss for maintainability.) Prior to settling on OpenBSD, I'd looked into using IPFilter on Solaris or FreeBSD, but OpenBSD's reputation clinched it for me.

    Nevertheless, I'm wondering: Am I missing something? Besides rule-for-rule compatibility with older IPFilter systems (which we don't have), is there any actual, concrete advantage of IPFilter over pf?

  2. Re:Free as in... fascism? by Frater+219 · · Score: 5, Interesting
    IPtables and Rusty's Netfilter code has been kicking ipfilter's proverbial ass since the first release of Linux 2.4, both in terms of features and security.

    Political rhetoric aside, I'm curious about this. As someone with 5+ years of Linux experience who's now in the process of choosing a new organizational firewall, I've taken a long look at iptables. What I see is, well, a mess compared to either IPFilter or OpenBSD's pf.

    I'm not talking about the raw feature set. I'm talking about the syntax for rules, and the maintainability of large rulesets. The iptables rule syntax is made up of numerous, disparate command-line options, and files of rules become increasingly hard to read and maintain. In contrast, IPFilter and pf have what seems to me to be a clear and easy-to-use rules language well-adapted to large files of rules. Here's a comparison, a rule I just tossed together, with the intent being "allow SSH sessions only from my internal hosts":

    iptables :
    iptables -A INPUT -s 10.11.0.0/16 -p tcp -o tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp -o tcp --dport 22 -j DENY

    pf:
    block in proto tcp to any port ssh
    pass in proto tcp from 10.11.0.0/16 to any port ssh keep state

    Don't get me wrong -- iptables is certainly Good Enough to implement IP access rules for a single host, or to serve as a back-end for firewall toolkits such as the one Red Hat's added to their latest releases. But it's sure a surprise to someone who's spent some time on both when BSD comes up with a system that's both prettier and easier than Linux's.