Slashdot Mirror

← Back to Stories (view on slashdot.org)

New PF on FreeBSD snapshot available

Posted by michael on from the latest-and-greatest dept.

Dan writes "Pyun YongHyeon and Max Laier announce a new release of PF for FreeBSD, which is available for download. Since the first release of PF at the end of March 2003, PF has undergone several major updates such as -current and ALTQ support. They have also removed bugs in IPv6, module handling and table support code and believe the current version 0.61 is very close to production use."

6 of 58 comments (clear)

  1. Re:PF? by TilJ · · Score: 3, Informative

    PF is short for 'packet filter', and it's the native firewall code for OpenBSD. Here's the man page for the config file.

    PF is fairly new compared to IPFW and IPFilter, but it has reapidly been gaining advanced features and capabilities. Porting it to other operating systems is a good thing IMO - the more competition in this field, the better ;-)

    --
    "The purpose of argument is to change the nature of truth." -- Bene Gesserit Precept
  2. Re:Now we have to relearn FreeBSD networking?? by phoenix_rizzen · · Score: 4, Informative

    Actually, this is nothing like in Linux. In Linux-land, each new kernel brought out a brand-new, almost compeltely incompatible packet filter. ipfwadm, ipchains, iptables. The syntax changed. The features changed. There was no way to use the old filter. There were wrapper scripts to try and simulate this, but they are crud. Heck, the packet filters themselves are crud.

    In FreeBSD, there's IPFW *or* IPFilter *or* Packet Filter. IPFW has been around a long time, and the syntax has changed very little. New features have been added, though, but all the old features still work. Same with IPF. Nobody is forced to switch from IPFW to IPF or PF. They can continue to use IPFW.

    It's much nicer to be able to continue to use the same packet filter across minor *and* major versions of an OS. It's also nice to have a choice of two or three packet filters.

    I'll definitely stick to BSD for packet filtering. Linux is nothing more than a toy.

  3. For those not keeping score... by drdink · · Score: 3, Informative
    PF is the Packet Filter used in the latest releases of OpenBSD. OpenBSD developed pf after a licensing dispute with Darren Reed basically resulted in him telling OpenBSD to go to hell.

    FreeBSD, up to now, has had two different firewalling methods. First off, there is the natively developed ipfw tool, which recently got a renovation and is now ipfw2 in -CURRENT. The alternative to ipfw is Darren Reed's ipfilter, also known as just ipf. Both ipfw and ipfilter share similar capabilities, and it is generally user preference as to which one is used in FreeBSD.

    Now, it seems somebody has made the effort to port yet another firewalling mechanism to FreeBSD, this time pf. The features it claims to have over ipfw are:

    • built-in variable expansion
    • built-in NAT and preventing NAT detection
    • table (a kind of very large blocks of address) support
    • packet normalization
    • state modulation
    • powerful state tracking
    • automatic rule optimization
    • queueing with ALTQ
    • load balancing with multiple routes

    Presumably, some of these are rather desirable features. However, it is beyond me why FreeBSD needs yet another way to do firewalling when the interfaces and systems we have now already work well. It is my opinion that instead of porting something proprietary to OpenBSD like pf, time should have been spent either patching these features into ipfilter or ipfw to add functionality to an already accepted and loved firewalling mechanism. There is no reason FreeBSD needs to dig a deeper firewalling grave for itself like OpenBSD has done.

    --
    Beware, Nugget is watching... See?
    1. Re:For those not keeping score... by hununu · · Score: 3, Interesting

      In order to get pf's nice features into ipfilter, you would have brain-wash Darren Reed I guess. :-)
      pf has a lot of interesting things like alt-q integration (yes, not implemented in -current yet but there are working patches at altq's site), tables, etc (you mentioned them).

      And yes, more is better. A lot of people (including me) use on some servers ipfw and ipfilter/ipnat at the same time because it's useful and you can take the best of each "world". pf introduction will give users even more options, nothing more, nothing less.

    2. Re:For those not keeping score... by Huge+Pi+Removal · · Score: 3, Informative

      If you read the man page for ipfw and compare & contrast with the man page for pf, you can immediately see just how much better pf is.

      ipfw is basically a basic packet filter with a few things bodged on top of it (variable expansion, keeping state, etc) (OK, that's a bit unfair, but it's what it *feels* like to use). pf is a built-from-the-ground-up total firewall solution, with a hell of a lot of flexibility, and also several functions which will do in one line what it takes ipfw rather longer to do (e.g. anti-spoofing). Plus the simple command "scrub in all" on your border router immediately renders most TCP-fragmentation attacks benign.

      Essentially, if you want a router with a bit of filtering, ipfw will do you. If you want a serious firewall, go for pf. However, if you want a serious firewall, you should already be going with OpenBSD anyway :)

      --
      - Oliver

      The right to bear arms is only slightly less stupid than the right to arm bears...
    3. Re:For those not keeping score... by Whyzzi · · Score: 3, Interesting

      When pf was in 3.0 -current, it wasn't ready for prime time. 3.1 -stable was alot better, lacked a few features, but way better. I (could be wrong , but I) am of the belief that they've added (not fixed) features since 3.2, and it is awesome.

      I'm using a 3.3 snapshot from March @ my small organization's 60pc firewall -- one as a bridge protecting my w2k server, the other as 3nic internet/nat+squid/dmz firewall -- both machines are utilizing altq to aggregate traffic nicely, on 64meg 166Mhz pentium classics no less. Squid tends to make my *uptime* pop over 1.00 once and awhile, but before I added squid the machine never broke a sweat.

      I played with linux's ipchains, and couldn't get used to the syntax ipchains required. I've used OpenBSD since 2.8, first with ipfilter (forced me to learn global string searching in vi), and gladly moved to pf. The macros and variable expansion simplify the configuration process considerably (my pf.conf is 217 lines long - macros, tcp options, altq, redirects and finally filters - all with adequate spacing and comments), and resetting the rules (likely other firewalling tools have this too) without losing state.

      Please, don't hesitate to order 3.3 when it is released, or at least check out pf in either FreeBSD or OpenBSD.

      --
      "BSD is about people pissing each other.." (Moid Vallat)