Slashdot Mirror

← Back to Stories (view on slashdot.org)

New PF on FreeBSD snapshot available

Posted by michael on from the latest-and-greatest dept.

Dan writes "Pyun YongHyeon and Max Laier announce a new release of PF for FreeBSD, which is available for download. Since the first release of PF at the end of March 2003, PF has undergone several major updates such as -current and ALTQ support. They have also removed bugs in IPv6, module handling and table support code and believe the current version 0.61 is very close to production use."

4 of 58 comments (clear)

  1. Re:Now we have to relearn FreeBSD networking?? by mnmn · · Score: 2, Insightful


    I never started this as a war between Linux and FreeBSD. I can see you are strongly biased one way. But my point is FreeBSD and Linux combined make for 6 different packet filtering tools. This does not help network administrators. The reason why :q! command in vi still works is because it was standardized in UNIX a long time ago and never changed.

    Of you still have a lot against Linux, well just take FreeBSD then. I hope we can use pf 7 years from now.

    --
    "Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
  2. Re:For those not keeping score... by drdink · · Score: 2, Insightful
    ipfw is basically a basic packet filter with a few things bodged on top of it (variable expansion, keeping state, etc) ( OK, that's a bit unfair, but it's what it *feels* like to use).
    Okay, so you admit your own explanation is biased and wrong. That basically invalidates that "point" you made. Have you looked at the rework of ipfw which is in FreeBSD 5.0-CURRENT and known as ipfw2?

    pf is a built-from-the-ground-up total firewall solution
    ...which means it has some time before it is truely accepted by everyone. Both ipfilter and ipfw have been around for a long time and alraedy proven themselves to work well. In my opinion, pf still has a while to go before it proves itself to the extreme that the others have.

    Essentially, if you want a router with a bit of filtering, ipfw will do you. If you want a serious firewall, go for pf. However, if you want a serious firewall, you should already be going with OpenBSD anyway
    I don't choose my tool by the ease of configuration alone. I also choose my tool by its proven stability, flexibility, and how tightly integrated it is with the other things I am using. Since ipfw fits in all three of these categories, that is my tool. I also prefer FreeBSD over OpenBSD, though the reasons for that aren't really relevant to this conversation. I'll just summarize it by saying that I believe FreeBSD has much better leadership and downloadable ISOs in the same layout as the purchasable ISOs.

    It seems like you totally missed my point I made in my comment above. My point was not "we should go with whichever is better." In fact, it was very different from that. My point was "we should merge the good from others into the existing good we have already." I don't want to switch tools, configuration file formats, and APIs. That was the point I was making. These things should not change. Switching or adding pf to my system will do all these things, along with increasing the size of my source tree just to give me a duplicate tool.

    And in closing, a real network administrator wouldn't use OpenBSD for a firewall. They would use a hardware device designed from the ground up for the specific job of being a firewall. And no, this is not an argument that can be extended to pf vs. ipfw, since ipfw was also designed to be a firewalling tool, has been around longer, does a decent job already (especially with ipfw2), and so forth.

    --
    Beware, Nugget is watching... See?
  3. Re:For those not keeping score... by Huge+Pi+Removal · · Score: 2, Insightful

    I think the sizes of the patches for AltQ stuff for pf and ipfw respectively show how well-written and flexible pf is. I use FreeBSD a lot, and have used ipfw (and ipfw2, although probably not the latest build) extensively. Writing long rule sets to NAT multiple networks, do interesting packet filtering between them and general everyday protecting-of-the-servers is nasty, long and irritating. The ipfw2 ``{}'' notation helps, but not much. What I meant was that creating complicated rulesets is klunky in ipfw and very, very nice in pf. That suggests to me that in some respects the underlying code is klunky/nice respectively. The whole ethos of how the filter works just feels *right* in pf.

    I read through the pf man page and was astounded how good it was. (I will wait until 1st May and OpenBSD 3.3 comes out, and do some speed tests against ipfw before making a final judgement though, obviously.) The way that pf has several different stages of filtering, and doesn't require you to use natd as a separate daemon (the 'nat' command in pf is a perfect example of the integration you talk about), already makes it a winner for my internal router. And the scrub command along with the easy anti-spoof and other bits (very intelligent keep-state stuff) would make it a perfect border router. Oh, plus the fact that OpenBSD comes with a built-in FTP proxy :)

    As for dedicated hardware: I've just built a very well-specced 6-port router (3 ports are gigabit) for around $1000. Try getting a Cisco that has as many features as pf with gigabit ports for that. We are a registered charity... :)

    I think that the more stuff gets loaded onto ipfw2, the slower and less reliable it will be. ipfw was not written flexibly enough in the first place. I agree, it was nice only having one main packet filter for FreeBSD, it meant the tutorials and howtos always worked :) I'm wondering just how well pf on FreeBSD is going to catch on, though: the momentum of ipfw may well keep pf out of the mainstream. Who knows...

    --
    - Oliver

    The right to bear arms is only slightly less stupid than the right to arm bears...
  4. Re:Now we have to relearn FreeBSD networking?? by phoenix_rizzen · · Score: 2, Insightful

    The syntax for ipchains / iptables is just horrible. It doesn't read anything close to English. The nice thing about IPFW / IPF / PF is that you can read a rule and udnerstand exactly what it is designed to do. I have yet to be find someone who can look at a NAT rule in IPTables and tell me exactly what it does without resorting to scrounging through manuals.

    The beauty of IPFW (or IPF or PF) is that the syntax hasn't changed all that much, even though new features have been added. The syntax for the Linux packet filter has changed 3 times in 3 releases.

    The other horrible thing about Linux packet filtering is that it only *just* got NAT figured out. Only took them 3 releases (and how many years??) to get that one. IPFW / IPF / PF have had that for several years now.

    I administer 12 FreeBSD IPFW firewalls, and 11 Linux IPChains firewalls. Can't wait until the summer when I can move those Linux boxes to FreeBSD with either IPFW or IPF. One less headache to worry about.