OpenBSD Packet Filter Ported To NetBSD, FreeBSD

honold writes "just read this on deadly.org (from Pyun YongHyeon): "Hello there. I have ported pf to FreeBSD 5.0 Currently it works well, though many nice features of pf not tested. I have ported to make FreeBSD users know there is an another excellent stateful packet filter with BSD license. URL is the following. ftp://ftp.kr.freebsd.org/pub/FreeBSD-kr/misc/pf_fr eebsd_0.3.tar.bz2 Thanks." netbsd has a port as well Where are you, Linux?"

why this is interesting? think high availability

[ubiquitin]

I'm going to take up the challenge here of explaining why this is interesting. Since November of 2002, OpenBSD's pf has had support for load balancing. RedHat's $2499 Premium Edition of their Enterprise distro features Piranha load balancing which was derived from the Linux High Availability project.

So what the OpenBSD pf project is giving you is enterprise-class high availability and load-balance clustering for a tiny fraction of the price. With a handful of cheap dotcom-throw-away x86 servers, a small company or mildly well-capitalized individual can personally build a multi-datacenter-fault-tolerant clustering setup that will rival Fortune 500 uptime ratings.

In other words, the pf project's list of accomplishments is starting to read like a ToDo list for RedHat's Enterprise Linux development team.

Re:Where are you, Linux?

[josepha48]

Then use netfilter.. its pretty nice... I'd agree it does change each release. But you can also use the old way still. 2.4.x has all 3 in it so you can pick which one you want to use. So while yes it has changed, it also has more options now (another point of view).

Also both FreeBSD and NetBSD have had for a while ipfilter, which is able to 'keep state'. So they already had stateful filtering. At least that's what I thought the 'keep state' keyword in ipf was supposed to do. In FreeBSD 4.? they introduced ipfirewall or ipfw. FreeBSD 5.0 has ipfw2 which does a great job at keeping state. Just use ipfw -d show and you see what is going through your firewall in the state table. Actual ip:port to ip:port listing. I wish it had something like ipfilters ipfstat -t command.

FreeBSD now has 3 choices as far as stateful packet filtering go, ipfilter, packet filter and ipfirewall. What really needs to be done is metrics on all these to show which is actually better under FreeBSD. Metrics that show performane as well as features. Also ease of understanding.

*sigh*

[cperciva]

When porting pf was first proposed on the FreeBSD mailing lists, the general opinion was that it would be a Bad Idea. pf may be great, but having two firewalls built into FreeBSD has caused much confusion in the past.

Remember, perfection comes not when there is nothing left to add, but when there is nothing left to take away.

Re:*sigh*

[smnolde]

I use ipfw's DUMMYNET features for traffic shaping and queuing. I also use ipf and ipnat for the hardcore stateful packet inspection and kernel-level NAT. It works great.

But when pf is fully ported with AltQ and tables, I'll only need one packet filter, not two.

I think porting pf to FreeBSD is great. We'll have more options for packet filtering, queuing, bridging interfaces, etc.... besides, there's so much among the BSDs so this benefits everyone.

Re:*sigh*

[davet]

Remember, perfection comes not when there is nothing left to add, but when there is nothing left to take away.

But on the other hand:
If all you have is a hammer, everything starts to look like a nail.

On my part, I like the idea that there's more than one way to do something.

Re:Question

[overbom]

Yes, they differ in implementation and configurability. FreeBSD's default firewall, ipfw, is pretty easy to set up and configure, and it's pretty powerful. Darren Reed's ipfilter is arcane to set up and insanely powerful. From what I've heard of obsd's pf is that it's pretty easy to set up and insanely powerful.

Most firewalls more or less do the same thing, but the devil is in the details. Some firewalls can do much more than others can, and that's why there are multiple firewalls available. For example, Darren Reed's ipfilter can process packets based on any of the TCP flags in the packet header -- not an option that an entry-level sysadmin wants to have to worry about, although a security expert might be uncomfortable without it.

Most of the firewalls can be set up to do host-based and network-based packet filtering (that's firewalling).

Hope this helps.

Re:Where are you, Linux?

[josepha48]

Hmmmm. ipfw has check-state, setup and established. Yes it does keep track of the state as it does have a state table. To see the state table in ipfw use ipfw -d show. To see the state tables in Linux you can look at the /proc filesystem. Not sure if iptables has an actual option for this. Under one of the /proc directories (can't remember which one) it has the state table of all the connections that the kernel knows about.

Truth is that if you want a secure system shutdown your unused services. Use keywords like setup (ipfw) or NEW (iptables) to keep track of new connections. Log new connections, user -j LOG in iptables, 'log' in ipf and ipfw. Not sure what the syntax is in pf. Lastly use ssh over telnet and ftp and REQUIRE shared keys. Webservers are hard to secure, because of 'stray' or possible badly coded cgi. DNS servers should only be run when necessary, or on the internal lan. Use things like ipsec w/ racoon to secure systems so that connection traffic can be encrypted.

Re:Where are you, Linux?

[TheLink]

AFAIK ipf keeps track of the tcp sequence and ipfw doesn't (it does track the tcp port numbers). So while ipfw2 does keep state, I'm not sure you could say it does a great job of it.

With ipfw you have to rely on the O/S getting the tcp sequence right. Which is probably not a problem.

With ipfw you have a certain degree of control when stateful rules are checked- on first stateful rule or on a check-state ruke. With ipf you don't - stateful rules are checked before all other rules. This means with ipf it is harder to shut down selected stateful connections without affecting other stateful connections.

Netfilter? Still immature, and resembles ipchains too much for my liking. It looks significantly uglier too compared to either ipf or ipfw.

The firewalling stuff was one of the major reasons why I picked FreeBSD instead of Linux for my machine (it has to firewall amongst other things).