OpenBSD Packet Filter Ported To NetBSD, FreeBSD

honold writes "just read this on deadly.org (from Pyun YongHyeon): "Hello there. I have ported pf to FreeBSD 5.0 Currently it works well, though many nice features of pf not tested. I have ported to make FreeBSD users know there is an another excellent stateful packet filter with BSD license. URL is the following. ftp://ftp.kr.freebsd.org/pub/FreeBSD-kr/misc/pf_fr eebsd_0.3.tar.bz2 Thanks." netbsd has a port as well Where are you, Linux?"

Re:Where are you, Linux?

[josepha48]

Then use netfilter.. its pretty nice... I'd agree it does change each release. But you can also use the old way still. 2.4.x has all 3 in it so you can pick which one you want to use. So while yes it has changed, it also has more options now (another point of view).

Also both FreeBSD and NetBSD have had for a while ipfilter, which is able to 'keep state'. So they already had stateful filtering. At least that's what I thought the 'keep state' keyword in ipf was supposed to do. In FreeBSD 4.? they introduced ipfirewall or ipfw. FreeBSD 5.0 has ipfw2 which does a great job at keeping state. Just use ipfw -d show and you see what is going through your firewall in the state table. Actual ip:port to ip:port listing. I wish it had something like ipfilters ipfstat -t command.

FreeBSD now has 3 choices as far as stateful packet filtering go, ipfilter, packet filter and ipfirewall. What really needs to be done is metrics on all these to show which is actually better under FreeBSD. Metrics that show performane as well as features. Also ease of understanding.

*sigh*

[cperciva]

When porting pf was first proposed on the FreeBSD mailing lists, the general opinion was that it would be a Bad Idea. pf may be great, but having two firewalls built into FreeBSD has caused much confusion in the past.

Remember, perfection comes not when there is nothing left to add, but when there is nothing left to take away.

Re:*sigh*

[smnolde]

I use ipfw's DUMMYNET features for traffic shaping and queuing. I also use ipf and ipnat for the hardcore stateful packet inspection and kernel-level NAT. It works great.

But when pf is fully ported with AltQ and tables, I'll only need one packet filter, not two.

I think porting pf to FreeBSD is great. We'll have more options for packet filtering, queuing, bridging interfaces, etc.... besides, there's so much among the BSDs so this benefits everyone.

Re:*sigh*

[davet]

Remember, perfection comes not when there is nothing left to add, but when there is nothing left to take away.

But on the other hand:
If all you have is a hammer, everything starts to look like a nail.

On my part, I like the idea that there's more than one way to do something.

Re:Where are you, Linux?

[TheLink]

AFAIK ipf keeps track of the tcp sequence and ipfw doesn't (it does track the tcp port numbers). So while ipfw2 does keep state, I'm not sure you could say it does a great job of it.

With ipfw you have to rely on the O/S getting the tcp sequence right. Which is probably not a problem.

With ipfw you have a certain degree of control when stateful rules are checked- on first stateful rule or on a check-state ruke. With ipf you don't - stateful rules are checked before all other rules. This means with ipf it is harder to shut down selected stateful connections without affecting other stateful connections.

Netfilter? Still immature, and resembles ipchains too much for my liking. It looks significantly uglier too compared to either ipf or ipfw.

The firewalling stuff was one of the major reasons why I picked FreeBSD instead of Linux for my machine (it has to firewall amongst other things).