Slashdot Mirror
Ask Slashdot: Migrating a Router From Linux To *BSD?
An anonymous reader writes I'm in the camp that doesn't trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I'd run Windows NT, not Linux. So I've decided to migrate my homebrew router/firewall/samba server to one of the BSDs. Question one is: which BSD? Question two: where's some good documentation regarding setting up a home router/firewall on your favorite BSD?
It's fine if the documentation is highly technical, I've written linux kernel drivers before :) (Got a question? You can Ask Slashdot, too.)
It's fine if the documentation is highly technical, I've written linux kernel drivers before :) (Got a question? You can Ask Slashdot, too.)
subject says it all.
runs from very small disk (I use a 4gb m-sata ssd) and has a great ui, is a superb firewall and is bsd based. used to be the old openwall code.
--
"It is now safe to switch off your computer."
We are routing/firewalling tons of Gbits with it at $work
Answer to #1: pfSense (http://www.pfsense.org/)
Answer to #2: pfSense (http://forum.pfsense.org/)
See, wasn't that easy?
Are you a masochist?
"Helping to keep you two steps ahead of the Thought Police!"
Too stupid to understand routing, but smart enough to write kernel code? Something doesn't add up here.
https://www.pfsense.org/
http://www.bsdnow.tv/tutorials/openbsd-router
It's fine if the documentation is highly technical, I've written linux kernel drivers before :)
You may have written linux kernel drivers before, but apparently you have never encountered this thing called Google?
In all my years here, this is the worst question I have ever seen. Smiley face and all. :^)
Experience usually leads to a realization that you don't know everything... Asking others is a good way to increase your available options from the few you are comfortable with to include ones you might not know exist.
He said he's written drivers. He didn't say they compiled or worked.
Why use an ancient version of pf when you can use the latest version? http://www.bsdnow.tv/tutorials/openbsd-router
I would first seriously consider seperating your router/firewall from your file server. As for preferred BSD, it would be OpenBSD for the router/firewall and FreeBSD for the file server.
Use whichever firewall you like, I still prefer ipfw but many have moved to pf.
The three distros in the Subject line do not use systemd, though Gentoo does offer it. They may well be the dig-in-the-heels distros that will stay that way, driven by people like you. Moving to one of those distros is a smaller/easier move for you, and doesn't preclude moving to a BSD in the future.
Years back I thought about moving my server to OpenBSD, based on reputation. However after some thinking I realized that potentially the safest server is the one you know best how to administer. I was probably better off knowing how to administer Linux well across my home cluster than to divide my efforts. I know OpenBSD is supposed to be "secure by default", but don't know how I might accidentally mess that up by mis-applying Linux knowledge to it.
The living have better things to do than to continue hating the dead.
We know it's you, Linus!
I'm a different AC, but went through a similar thing then systemd chased me off to BSD. I went with FreeBSD because it seemed to have the best userland of the options. A similar as BSD is to Linux, you still go from being fairly comfortable (I never wrote kernel drivers, but I used gentoo for about a decade and considered myself fairly confident) to feeling like a newbie again. You have to google every basic thing. It's usually a matter of "oh, in FreeBSD I use this to configure that", but there's still a lot of it and it takes time to feel comfortable with how the system works again.
He said he's written drivers. He didn't say they compiled or worked.
So he was just puttering around?
Envy my 5 digit Slashdot User ID!
Too stupid to understand routing, but smart enough to write kernel code? Something doesn't add up here.
Can't you recognize click-bait when you see it?
Heaven knows slashdot needs click-bait, what with the crap they have been doing to their layout in the last 2 days. Right now it's utter crap on Safari 6.1*, but sometimes its good and other times it's worse. And sometimes its borked on Safari 8 and even IE 11. It's as if Dice has never heard of testing on a test system and not testing on production.
*And yes I am still there because of 32 EFI, and yes I know there are ways to get >Lion running on 32 bit EFI, but it is not a priority right now.
I am Slashdot. Are you Slashdot as well?
1) Don't run your fileserver on your router/firewall. You're asking for problems.
2) Not all Linuxes run Systemd (Yay Slackware). I have nothing against the BSDs and they are probably better for networking anyway.
Personally I have Tomato on my firewall/router and use Slackware for my server needs. Serves me pretty well.
The real world is marching on, with Linux for Adult Users and Grown-up Businesses.
You can't expect fourteen year olds to test out an operating system they're randomly switching to because of overblown nerd rage, though.
I'm not sure why all you systemd haters feel the need to say "If I wanted Windows, I'd run Windows". I don't know the technical details, but I assume systemd as a Linux init system is nothing like Windows - except maybe for the fact that it's not based on a bunch of shell scripts. If you're a Linux fan, I'd be surprised if the only reason you like Linux is it's script-based init system.
Anyway, I assume the various distros that are switching to systemd are doing it for a reason - and that reason isn't to make it work more like Windows. I assume it's to make it work - i.e. resume from suspend reliably, etc. And if they find that necessary, what makes you think the maintainers of BSD aren't going to run into the same walls that the systemd approach circumvents? Then what are you gonna do?
So sure, if systemd doesn't need its 'tentacles' in an area, complain about that. Maybe your distro won't use that component. But as it stands the systemd flame wars are veering into conspiracy theory territory - and that's rarely a good thing.
Posted from my Android phone. Oh, I can change this? There, that's better...
Ignore the idiots who are dismissive. Just because someone is highly technical in one area doesn't mean there's something wrong if they're not very technical in others.
I personally use NetBSD because I use different hardware in different places for NAT / IPv6 routing / DNS / all that. In homes I use a PogoPlug or Seagate Dockstar with a USB flash or SD card and a USB-ethernet and / or USB-wireless. In businesses I use amd64, sparc64 and powerpc systems. NetBSD uses the same configurations regardless of the architecture.
OpenBSD and FreeBSD are just as good, and, as I'm sure you're realizing while you learn BSD, all three BSDs are much cleaner and better organized, generally speaking, than GNU/Linux distros. The other thing that keeps me using them is that they don't try to be like Windows, so there aren't a zillion extra packages and gratuitous changes from one version to the next.
A BSD NAT router / firewall / IPv6 router / DNS / Samba / web / whatever server can be set up pretty quickly and easily, and keeping track of the configuration files and reproducing a running system is very straightforward.
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/
Chapters 29-31 should have all the info you need. FreeBSD does not come configured by default as many of the popular Linux distributions do, but it's worth the effort to have a system that allows you (as the administrator) maintain control. The argument can be made for NetBSD, OpenBSD and DragonflyBSD, but FreeBSD is the most popular one, if you don't count Mac OSX, which borrows heavily from FreeBSD. PC-BSD(great package management system), FreeNAS and pfSense are built on FreeBSD. The Sony Playstation Network (and Playstation 4), Netfilx, and Juniper Networks are all heavy networking players that make extensive use of FreeBSD. Windows NT, FWIW, lifted some of its original TCP/IP stack straight out of BSD, back in the day. But it's up to you.
FreeBSD is for commoners and anonymous cowards (like me), OpenBSD is for the paranoid, NetBSD is for genius old-school gurus and Dragonfly sounds great on paper, but I've never touched it so I couldn't tell you. Also, FreeBSD can run Linux binaries (It emulates CentOS 6 by default). You will have to use the man pages frequently to relearn basic commandl-ine-fu.
Good luck, and welcome to the dark side.
I'm in the camp that doesn't trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I'd run Windows NT, not Linux.
What's there to "not trust"? Both SystemD and Service Host are service managers, which is a pretty typical component for an OS.
People who write code don't need to understand firewalls and routing.
Given the number of security problems that I see in code, they don't know about much security at all!!
Actually, how do pFsense and OpenBSD compare as far as routing capabilities go? And for IPv6?
OpenBSD. Feel free to look at the others, just don't get distracted by shiny bells & whistles and GUIs and the like.
OpenBSD does what you want and does it very well.
Trolling is a art,
To be honest I haven't used it, but I recall people speaking highly of m0n0wall in the past.
If your just doing a rotuer/firewall, i would use openbsd
Here are some helpful links:
I'd start here:
http://www.bsdnow.tv/episodes/2013_11_13-the_gateway_drug
they have a tutorial for openbsd
Then there are these that might help
http://www.jupiterbroadcasting.com/52032/a-sixth-pfsense-bsd-25/
http://www.jupiterbroadcasting.com/69852/dont-buy-a-router-bsd-now-60/
http://www.jupiterbroadcasting.com/47107/bridging-the-gap-bsd-now-13/
poster can't google his question but he writes kernel drivers so its ok
Like BSD, Gentoo is a source-based. So, if you're familiar with Linux, you might find Gentoo a sort of gentle introduction to a more BSD-like distro.
I've been using Gentoo for a while, and it has done what I expected most distros to do: It offers two init systems: OpenRC (the default), and systemd. OpenRC is actually Gentoo's own. It's sysvinit-like, with a few nice enhancements. If you're familiar with Sysvinit, you don't find it hard to switch: OpenRC is lightweight, and converting a syvinit-style startup script to an OpenRC one usually requires only a few modifications. OpenRC it lets you specify dependencies and runlevels by name, rather than having to manage a bunch of symlinks and numbers by hand.
Gentoo is not as user-friendly as, say, Ubuntu. There's no GUI installer. Instead, the Gentoo Handbook walks you through how to partition and format your disk, etc. I initially picked Gentoo because I wanted to learn more about Linux. Whenever I've gotten stuck, I have also found the online Gentoo community (wiki, forums,etc.) to be quite friendly and helpful.
Init: OpenRC Libc: musl Userland: busybox Looks like a nice alternative....
Peter N. M. Hansteen's PF tutorial and books are recommended reads, Peter remains involved with the developers and the information stays relevant and useful. He also ensures that readers using other BSD systems, especially with older versions of pf, can learn just as much from it.
* The Book of PF, 3rd Edition, 2014 - ISBN: 978-1593275891
* http://home.nuug.no/~peter/pf/
Michael W Lucas is another author that writes books for both the BSD and sysadmin communities, similarly, he works closely with developers and users to release these short, yet all-encompassing tomes of information, covering a wide variety of topics.
https://www.michaelwlucas.com/...
* Absolute OpenBSD, 2nd Edition, 2013 - ISBN: 978-1593274764
* SSH Mastery, 2012 - ISBN: 978-1470069711
* Sudo Master, 2013 - ISBN: 978-1493626205
And of course, official documentation is great. The effort of many people working to improve, Jason McIntyre improving readability and overall quality, Ingo Schwarze's amazing work on mandoc(1) tools. OpenBSD's FAQ, which is usually the first step people take to learn more about the system, is maintained by Nick Holland.
http://www.openbsd.org/faq/
http://www.openbsd.org/cgi-bin...
Systemd was written by people who are better technical programmers than they are designers. Outwardly, they 'get things to work' and are perceived to be productive. Open the hood and you find a stinking mess, maintainable only by the priesthood. There are a lot of programmers like this. In 25 years of software development I've seen a lot of this. It is not a good way to be. Judge software not only by how it runs but by how effectively it is maintained by the programmers who inherit the code. Shun systemd.
Picking AROS or Minix 3.
There is also RouterOS?
Just realize that whatever you do you will suffer some disadvantage.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Yeah, isn't the current version of pFsense - 2.1.5 - derived from what is in FreeBSD 8.3? And also, isn't their IPv6 support still rather primitive? It would be good to compare pFsense 2.2 vs TrueOS 10.1 vs OpenBSD 5.6 as far as their IPv6 support goes
Frankly, I love it when I am forced to take a 5 minute coffee break when I can't CTRL+C out of my misconfigured network card. This is a delicious way to start the day.
I've migrated all my servers and last year all my desktops to OpenBSD. I was expecting some of the ports/packages in OpenBSD to be outdated because that's what I read on the web, but surprisingly I found that OpenBSD often has more recent versions of things like chromium/gnome/python/ruby/etc/etc than the other BSDs and even many linux distros.
The base system on the other hand can lag a bit (for example they don't have wireless N yet), but whenever they add a new feature they do it right. One other thing about OpenBSD vs. other OSs I've used is how little breakage their is. For a business/enterprise that is critical. It's extremely rare that their base or ports system becomes unstable. I really like this. On linux/FreeBSD I've found things to be a bit more... painful.
Oh and the security that they're famous for is really amazing. The more I read about the details, the more impressed I am. This is the piece that you really want to make use of if you're building a router. The only thing they're missing compared to FreeBSD is something like capsicum. But FreeBSD doesn't take security too seriously, they focus on performance at all costs and are probably years behind other OSs like OpenBSD or even Windows. (These days I believe Windows has far better security than Linux).
Not that there is anything wrong with BSD, but you don't have to throw the Linux kernel out with the systemd water. You could choose a Linux distribution meant for routers such as OpenWRT which has x86 builds in addition to the embedded ARM and MIPS SoC platforms you will find in most actual SOHO routers.
I've installed OpenWRT on an old laptop before to use it temporarily as a wireless access point.
Becasue with pfSense (or m0n0wall) it is easy to do well. And this is a serious consideration. Doing a firewall "wrong" has some serious consiquenses, and pfSense or m0n0wall prevent you from making many common mistakes. (Actually, prevent is too strong... They just make it harder, but you can get access to anything you want if you try hard enough)
IMO the comparison comes about because the philosophies of the two (systemd and windows) are more related to one another than they are to Unix. Unix favors a collection of interacting tools that each do something (ideally, doing that something well). Windows is a giant monolithic shroud covering a multitude of interacting moving parts that you can't see, touch, or understand unless you spend the necessary years becoming an insider. Systemd seems to be leaning in that direction, hence the comparison. It's a big collection of "stuff" that refuses to be broken up into component functional bits.
It certainly doesn't help that the systemd authors seem to think so highly of themselves, that I feel no need to add to their aggrandizement by thinking highly of them myself.
The article should say: I used to write Linux kernel drivers and hate the direction systemd is taking it. Please support me by clicking on my rant and joining me in installing BSD on your router.
Seriously, I'm barely familiar with Linux as I'm just an end user, and I know well enough that I don't need an ask slashdot to figure out which OS I can put on a router which doesn't include systemd.
Help! I'm a slashdot refugee.
You don't even need to blow away the Linux partition. Just install to a 4GB USB stick and set that to be the first boot-device.
Be careful of Gentoo. I have had machines kneecapped more than once in one of their infamous Python upgrades. There is a lot of needless package churn as well. How many times a week am I supposed to compile Chrome? The OpenRC part is nice though.
I'm the original AC who asked the question. Or someone pretending to be him, you have no way of knowing.
1. Not trusting systemd.
Because it can't be troubleshooted if all you have is something to read text files with. When all you have is a single user shell, for example. Or you've put the hard drive in a different system, which is whatever you had on hand and could even be Windows with an ext3 plugin.
Because it comes from the author of PulseAudio, who is world renowned for the stability of his products. And low CPU consumption, when they work.
Because it contradicts the Unix philosophy of having a lot of little utilities that each do one thing. It may not be a big deal for a full time sysadmin, but if your main job isn't that it's a lot easier to just read about the small parts that interest you and disable the rest.
2. If he can write Linux kernel drivers, why does he need to ask Slashdot, or why doesn't he google it?
Because I don't know anything about BSD, and I'm not looking for "learn BSD in 10 easy mouse clicks". Although the signal to noise ratio on here sometimes approaches zero, there is the occasional informed opinion, and with a bit of luck, there will be some pointer to some actual pertinent information.
3. Use pfSense
If i use pfSense I won't learn anything. I've installed it before, it took about zero BSD knowledge. Also, I want the file serving part, see 4.
4. Move your Samba server to another machine for security reasons.
The router doesn't have any important files on it. It has the usual torrents, and it runs a private http server. I update the http server's pages through samba because it's the most convenient. It's not worth running this on a separate machine as there's nothing on there that I can't afford to lose. The real data is on other machines, and backed up properly.
Looking forward to the next batch of flame posts now :)
Solaris uses SMF and OS-X uses launchd, as was discussed yesterday in the thread about the new networking features in systemd. If BSD leaves SysV and adapts something, it's more likely to be launchd, rather than systemd. Also, systemd is under GNU LGPL 2.1, and the BSD projects have tended to seek out BSDL alternatives wherever possible. Which is why launchd is more likely to be used than systemd
OpenBSD has a focus on security and I believe they were the group that developed pf. Out of the box, OpenBSD will be pretty much configured well for a router. Also pf on OpenBSD uses a newer syntax. The install process is pretty basic and some of the terminology used for partitioning disks may be confusing for someone used to Linux terminology. In-version OS updates are handled by downloading patches and recompiling from patched sources. Major OS updates come out every 6 months.
FreeBSD has a focus on being a friendlier OS to work with. The kernel exposes many more tunable options and performance is generally considered better on FreeBSD. pf uses an older syntax that was forked off at some point and may never update to the newer versions OpenBSD offer. FreeBSD has a lot of other features like ZFS, which can be a big deal for Samba. The installer is more friendly and OS updates are handled through a fetch/install command. Major OS updates come out frequently according to a set schedule.
I have the expectation that FreeBSD will support new hardware faster than OpenBSD. I think most people serious about OpenBSD will be running it on a machine with Intel network cards. Other nics (realtek, broadcom) may work but sometimes have problems under heavy load on OpenBSD.
I use OpenBSD for my routing/firewall and a separate FreeBSD system for samba/fileserving. I don't expect any problem with running samba on OpenBSD alongside the firewall, but you won't have the benefits of ZFS, which is a big deal for me.
pfsense and m0n0wall are both based on FreeBSD, due to performance.
Unfortunately I don't have as much knowledge about NetBSD.
No one has mentioned NetBSD, perhaps because there are better options out there, but if you have never used a *BSD and don't know what makes them different to Linux, try NetBSD as a first learning experience. Here are some highlights:
1. No Bash, choose ksh (or mksh which is more modern).
2. No long options like --help, all options are a single letter and can be combined, ls -lo, etc.
3. Man pages are very complete, there is very good coverage.
4. You can use FreeBSD ports with no trouble.
Try it to learn what a *BSD is, then choose they one you prefer.
Go start watching BSD Now, its pretty good stuff. The documentation for BSD is really good. The community is pretty awesome to, they dont splurge lord when you dont use bsd for everything. Anyway, i'm getting ready to make a wireless bsd router using alix boards since you can get the power consumption down to 9 watts at max transfer rates. You'll find bsd is faster at routing network traffic and serving files distros. You can have nic compatability problems though. If you don't have an intel nics i'd recommend getting ones. Its not that the others dont' work but since it does a really good job at pushing data out you hit max network traffic speed and then you realize realtek nics start to have xmit errors and can slow it down a little bit. Its purely hardware related. Wish you luck, i'm actually a microsoft guy, its how i get paid etc. but I've already started bringing BSD into the work environment where we don't need microsoft proprietary stuff and has turned out great even if it was a tough sell. Its just better at being a server than pretty much anything else.
wanna be like juniper and run only 1 core?
Netcraft confirms it, BSD is dead.
I don't understand the blatent systemd pushing. Reasons for disliking it vary but don't really matter, because its adoption will force a *lot* of people who don't want it to either suffer through it or suffer through migration to another OS. That is reason enough not to adopt it. Trying to discredit people's reasons for disliking it is presumptuous, pointless, and rather stupid.
Hi,
I've written a tutorial for installing freebsd on an encrypted root using a serial console. That should actually explain some things.
http://forums.smallnetbuilder....
Otherwise:
Get an installer image:
https://www.freebsd.org/where....
The release version is FreeBSD-10.1
try the memstick image /dev/sdX" will copy it to stick
a "cp FreeBSD.img
While you install:
don't install the package ports, you will get the freshest ones
through portsnap
Add an "admin" user make him member of group "wheel"
because that user can ssh and then "su" to root.
When you have installed FreeBSD
a.) run portsnap fetch extract
- after this your ports tree is up to date
b.) run freebsd-update fetch install
- after this your FreeBSD-system is up to date
c.) kill sendmail-demon
- after this you will feel no change at all
d.) installa samba via ports(verbosive) or via pkg add samba
you install things using the ports collection by enter the directory /usr/ports
where you choose the category for example the midnight commander can be found under "/usr/ports/misc/mc"
you start the installation using make install
afterwards you can do a make clean
or make distclean.
ports is "just" make-scripts
Hint:
svn is included in the FreeBSD base distribution
it can be called via svn-lite
So you can also checkout the current freebsd-head (FreeBSD handbook says how), browse the /usr/src directory or where yyou will then recognize that every command's source has a separate directory with make file etc..
Meaning you can now play with the source of the base distribution(userland) and kernel
FreeBSD is fun, and a base system really has a small footprint.
> My understanding is that SystemD makes binary logs for its own purposes, and that the binary features include indexes so it can very quickly answer queries like "what were the last ten things logged by Apache?"
Oh okay, this huge monstrosity is worth it if it does things like make it easy to see the last ten log entries from Apache. Because for the last 35 years we've never been able to do:
tail /var/log/httpd/error_log
Lennart would add a hundred thousand extra lines of code before thinking about "tail".
Without a doubt, FreeBSD is the best at these tasks. I have used it in the past and you can create a basic forwarding firewall with only a few lines of config. Add a dozen or so more for better control. I also ran BIND, isc-dhcpd, and a wifi access point. This would be a little tough under OpenBSD and NetBSD as they don't have quite the same range of wifi hardware supported out of the box.
FreeBSD has good package management and is very well documented. In many benchmarks, it is faster and scales better than the other BSDs. SAMBA will work fine, as will netatalk and NFS.
Having said all this, running your own firewall is a really good skill and enjoyable hobby. But if it ever becomes more of a burden than an enjoyable task, switch to a high-performance router running linux (no routers with linux have stooped to systemd yet that I know of). I have an ASUS that can seriously handle all the throughput that I can throw at it. And now I have more time for other things!
PS: If you're not already aware, in addition to local caching, BIND can also connect to DHCPD and create real DNS resolution for your local clients.
My understanding (feel free to enlightenme if wrong) is that most distros still offer other init systems, they just aren't requiring package maintainers to suppor them. Thus.. things you want to use might become dependent on Systemd.
Also (as far as I know) Gnome is the only thing already doing this with KDE likely to follow soon.
I'm guessing (more speculative) that Systemd dependency is only likely to be an issue with big "desktopy" projects like this.
I hope that you are not running Gnome or KDE on your router!
So... what's the problem? Just use a different init!
Also... what kind of router are we talking about? Is this a PC being used as a router? Or is it a device which was actually meant to be a router. If the latter what distro does it run? Do router distros like openwrt, ddwrt, etc... actually use the same init systems as desktops? I always assumed they just ran a few simple scripts.
That being said.. although I've been a long-time Linux user I am using M0n0wall myself. It's a BSD based router distro, much like Pfsense which others have recommended but a bit lighter. I only chose it b/c it (and pfsense) supported the device I wanted to convert to a router and I didn't see anyone mention any of the Linux ones for it online.
My only complaint is that I haven't been able to get a VPN server running on it. I'm not sure this is M0n0wall's fault as this has been a problem for me on a number of other installations I have attempted. I suspect my cable company of blocking it.
But, anyway.. not a single device in MY home seems to care if it's packets are being routed through Linux, BSD or whatever! How about a Syllable router for the win?!?!
BSD has jails, you can run it on the same server no problem
But both GNOME and GNOME classic are available on PC-BSD 10.x. How does it work here, if it requires systemd or logind? The BSDs don't have that
Keep it simple: https://www.pfsense.org/
"Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup."
Maybe, if one is leaving systemd based Linuxes, it might be worth trying Gentoo, Slackware or Devuan before doing a wholesale migration to the BSDs
Oh geez, Safari? Not that I want to stick up for Dice-dot but come on! I might use Links to browse on occasion myself but at least I understand that when I do I am so far from the norm that I get what I get and I shouldn't expect webmasters to cater to me!
Next will be a horde of angry Arachne users!
I have learned this the hard way so please take heed;
NB! most of the guides online have the syntax (order of wording) wrong for pf.conf included the beloved OBSD FAQ.
This is accurate and works on OBSD v5.6
99% of the online howto & guides will get your firewall almost working.
Use this as an example from my working pf.conf
You can spot the variables. Use 'LOG' for all of your entries and keep a "tcpdump -nettti em0 host 192.168.0.x" running while testing your setup.
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
It's my gateway and router, and as it's not just a pfsense install it also serves as a web development platform, file storage, etc. etc. There's just nothing as flexible, powerful and intuitive as OpenBSD's PF for facilitating the router portion.
OpenBSD
I'm in a similar boat. I recently (a few months ago) migrated from Gentoo to FreeBSD.
The problem with systemd, and probably why so many people are running from it, is that it's not as simple as just not using systemd, or even not using a distro with systemd as a default.
A lot of packages are gaining direct or indirect dependencies on systemd, and it is becoming a huge pain to run a systemd free system. I found myself having to use portage's blacklist for the first time because simply specifying -systemd as a use flag wasn't enough. I also had to uninstall a bunch of packages and fix the associated breakage. I don't use gnome, but enough gnome packages ended up installed as dependencies of various things that it was a real headache. Slackware has straight up dropped gnome because it's too hard to have it without systemd. And of course you have systemd as an indirect requirement for gimp. Yes friends, when a graphics editing tool depends on a specific init system, it's time to get the hell out of there!
Systemd isn't the only factor, but it's certainly a major one and I think it's pushing a lot of people (like myself) who have kinda been disillusioned with Linux for some time over the edge. At some point mainstream adoption became the big goal, and this mindset where it was better to have a less flexible but easier to use system started destroying a lot of what drew us to Linux in the first place. Linux is basically morphing into a more open version of Windows for the sake of mass appeal, which may be great for humanity, but it's not why I got interested in Linux.
For many years, I ran an alix2d3 box with OpenBSD installed on it as my edge device. Excellent hardware, excellent OS.
pf.conf is simple for a basic configuration.
If you want to run off of a read-only flash file system, or have a router-style config experience, there are adaptations for that purpose also. But just plain old boring openBSD is a great place to start.
My favorite thing about openBSD is how lightweight the install is. There is very little garbage you'll want to shut off or remove.
For the canonical SOHO edge device, choose any x86 hardware you have, put 2 network interfaces on it, and you're done.
A basic pf.conf that gives you NAT and blocks everything evil from the outside is only a few lines, and well documented on the interwebs.
Put your samba server somewhere else.
Oddly enough, I finally retired my openbsd device and got a few Ubiquity EdgeRouters. My home network situation changed and I wanted a smallish device with POE support, but still wanted a real OS on it..
My opinions are my own, and do not necessarily represent those of my employer.
https://svnweb.freebsd.org/base/head/contrib/pf/ - "Update packet filter (pf) code to OpenBSD 4.5..."
From 4.6 to 5.6, modifications (22 selected modifications, there is a lot more):
4.6 - icmp tracking code rewritten (shotcomings found there)
4.6 - scrub modification
4.6 - "match" keywork
4.7 - NAT rewrite
4.7 - "divert-to" keywork
4.9 - log subsystem rewritten for performance and features
5.0 - Make sure IPv6 packets with routing headers do not create state while dropping them in pf(4).
5.0 - Fixed crash in pf(4) ioctl(2).
5.0 - Fixed potential null dereference in pf(4) ioctl, ahd(4).
5.0 - Added IPv6 ACK prioritization in pf(4).
5.0 - Cleaned up protocol checksums in pf(4), IPv4 and MPLS.
5.0 - Make pf(4) reassemble IPv6 fragments.
5.1 - Improve pf(4) ICMPv6 direction check.
5.1 - pf(4)s IPv6 code evolves further. [...] to make the code more robust.
5.1 - Fix a pf(4) bug where pf_walk_option6() used the outer header in the pd2 case.
5.3 - Lower pf.conf(5) frags limit. Avoids running out of mbuf clusters when dealing with lots of IP fragments.
5.3 - Fixed pf(4) sloppy state tracking missing half the connection in asymmetric setups and ignoring state match in icmp(4) direction checks.
5.4 - Do not reset the pf(4) fragment timeout each time a fragment arrives; drop all fragments if the packet cannot be reassembled within 60 seconds.
5.4 - Before pulling TCP options from the mbuf onto the stack, do an additional length check in pf(4) so overflow cannot happen.
5.5 - Resolved an issue where icmp(4) traffic with pf(4) nat-to failed due to incorrect checksums.
5.5 - Fixed pf(4) icmpid bug (only affected icmp(4) echos via nat, when the nat doesn't change the address).
5.6 - Fixed path MTU discovery with ping6(8) through pf(4) using nat or rdr.
http://networkfilter.blogspot.com.au/2014/12/security-openbsd-vs-freebsd.html#pf_magic
You've written linux kernel drivers, but you have to ask slashdot?
Writing linux kernel drivers is really easy, surprisingly easy. Get this book and you can learn to do it in an afternoon. If you've never compiled a kernel before, that might take two afternoons to figure out.
"First they came for the slanderers and i said nothing."
I'm a big fan of using OpenBSD for my home routers. The documentation is superb, and is more than enough to get started. You might also enjoy caolomel.org, and kernel-panic.it. Each site provides a number of straight forward approaches to setting up a few different types of networking appliances with OpenBSD, and other Unix style systems.
If you're comfortable with GNU/Linux you might actually find OpenBSD easier, as it's a simple, well documented UNIX.
* The default install is a handful of simple text questions, and takes around twenty minutes to complete, less if you have fast media.
* The default install is pleasantly minimal if you're into setting up appliances
* Out of the box you will get the Unix versions of software, example vi, not vim
* There are ports, but unless you're stetting up an http proxy or something, you might not need them
PF - packet filter
Once you get the hang of writing pf rules they're a delight:
* make sure you understand the direction packets move in/out of your interfaces
* make sure you understand how the pf language expands/infers your instructions, pf is expressive, and that's good, but also means be careful.
* QoS is fun, and can be insanely elaborate
You run your file server and firewall on the same box? Are you sure that's a good idea?
The *BSDs all are pretty good for serving really. To be clear, I'm only counting NetBSD, FreeBSD, OpenBSD, and DragonFly BSD, not any of the derivatives. I'm saying that with a straight face even though the latter two of these are forks of the former two. Since they all unabashedly steal from each other, the differences are often a taste issue. So, it makes sense to try more than one.
There are a few details, like how FreeBSD's pf* is less advanced than OpenBSD's, but multi-threading so it gives higher performance on multi-core systems, but for a home system that rarely matters. Likewise, netgraph (found on FreeBSD) is amazingly handy if you need it, but if all you do is route between ethernet interfaces then you don't need it and so it really doesn't matter. OpenBSD is said to be big on security but if you go look at it carefully their definition is rather... limited verging on the self-serving. They did do a lot of auditing and that work did pay off, to be sure, but of course it's never a silver bullet.
I'd be reasonably confident running any of these right on the public internet and I'd expect decent performance from all four, though for some things some are better than others. Eg FreeBSD has ZFS, which is quite amazing if you juggle filesystems around lots (and you have lots of disk and preferrably ECC ram to feed it) to the point that I'm getting a bit nauseous listening to the people liking it so much, where DragonFly BSD has HAMMER which is also quite good but for somewhat different applications. And even good old UFS is still a steady workhorse that has had things like softupdates, ACLs, snapshots for the longest time, and even journalling now, and that'll do fine if you don't mind the drawbacks of not having quite the latest super-duper ZFS features.
OpenBSD forked over a personality conflict within NetBSD, then reinvented itself over security. DragonFly BSD forked over disagreement on how to do SMP thread scheduling within FreeBSD (FreeBSD went for N:M scheduling, eventually reverting to something much simpler, over major versions 5..8 and a rocky ride), and it appears that for certain tasks, like heavy loads of PostgreSQL, DragonFly BSD is faster than FreeBSD.
So with the information given, any of the four will do and so recommending any one is personal preference. Mind that the *BSDs carry the Unix torch in all but a name, whereas linux is often a bit confused about its adopted heritage, so things will work Differently than you'll be used to. Do check the documentation, the handbook, the manpages. Where on linux they're often quite useless, not so much on *BSD.
So you probably should make a list of specific tasks, then run at least two *BSDs through the paces of setting it all up properly, perhaps even benchmark the result. Pick whichever you happen to like better. It isn't uncommon for *BSD people to run several variants for different tasks or because of whim. Might try and use live CDs/live USB stick images for the testing. Oh, the linux "one iso for both dvd and usb"-hack doesn't exist elsewhere. That often trips up linux converts, so now you know.
* I actually happen to like ipfw a bit better. Yes, you can even mix them, though it'll give you headaches tracking the packet flows between the two.
So systemd evolved from some simple concepts, as far as I can tell. The first thing that we need to do though is discard the concept of "init", because it tends to make one thing of 'things that are needed to boot the system,' which is one thing that init does, but it also handles shutdown and runlevel switching, and gives status information.
First we start with shell scripts and pidfiles. We can track processes, kinda sorta, there's few rules about what init scripts can or can't do, everything is text, and when things go tits-up there's no recovery and any controlling process gets an error code. The tools you have are crude but flexible. Some things are not going to be possible, but there's a certain sweet spot for complexity, and an open invitation to make things as complex as they need to be.
Then we have at least three problems. For one, these scripts are not entirely portable between distributions. For another, pidfiles are inadequate for process tracking. Thirdly, a lot of what the scripts were doing was essentially the same thing done a dozen different ways.
It's possible to solve the first and third issue without systemd. This is more or less what OpenRC does. Generally, providing a layer of abstraction is a way to manage complexity. However, one can go further with this to ask whether it's actually a good thing for all of this vital system-booting stuff to be stored in user-editable files that have access to most of the system when they're executed by a Turing-complete interpreter. Some of this stuff is surely better done as a C library, right?
The issue with process tracking (and associated resource management) required some help from the kernel. I don't know that much about the technical issues involved, but the result was something called cgroups, and absolutely no one objects to it existing. So, now you have the ability to manage processes for real-real and not for play-play, and you need a userland interface for it. Now you start collecting other requirements.
It would be possible to just write a userland library for interacting with cgroups. If however you wanted to start using these abilities to make your system better, then replacing init as the service manager would be a fine start. Having a dependency graph for services is an early requirement, but as long as you're going to rewrite all your init scripts to provide that kind of information, it makes sense to reduce the init script down to its essentials — what does this do that is unique? A general programming principle is Don't Repeat Yourself: if you do something the same way twice, extract the common functionality into a method or library and call it whenever you need that. The goal is to have one and only one representation of a given piece of code or data.
Now we're down to some personal speculation. To me, systemd makes sense given the requirements. Unit files are a sensible evolution of init scripts, with limited executable bits, and all the hooks needed to manage dependencies over the life cycle of the process. To the best of my knowledge they are far more portable between linuxes than the standard set of init scripts. However, it seems like a sticking point is that the abstraction layer wasn't implemented in Bash. For the people whose only tools are Bash, sed, and awk, this is definitely a problem. Why, after all, should a person be forced to learn a new interface simply because it is better?
Hey, I'm allowed to get a few digs in here and there. But more seriously and more broadly, init scripts do a lot of things, and if you're trying to DRY them out, you're going to end up implementing quite a lot of stuff. If your idea of an OS is an extremely limited base for executing shell scripts, you will be very unhappy with how systemd is doing things. If your idea of an OS is something that can manage services and their dependencies and associated resources, then systemd is a necessary layer of plumbing. Some people don't want plumbing. I've seen 20-story buildings in Panama that didn't even h
personally i would have had the "server" /firewall running CentOS 6 or Debain stable
then in 5 YEARS when they are going end of life
then worry about systemd VS systemV
in 5 years time
the question should be settled
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
A lot of packages are gaining direct or indirect dependencies on systemd
Yes, because it does useful stuff that software needs.
and it is becoming a huge pain to run a systemd free system.
So, just run systemd then. Not more pain.
Why on EARTH are you trying to roll your own router? AT HOME, none the less... Who needs that kind of trouble? And NEVER put your network firewall on the same hardware as a network server... It's a recipe for disaster.
Just go buy some compatible hardware and run OpenWRT or something. I have a Netgear WNDR4300 as a border router/firewall with OpenWRT loaded on it. They are routinely sold on E-bay for $40 or less each, I think I paid $35. Where I wouldn't recommend this exact model because you will end up building your own firmware, this device works just fine for my purposes. Configuration wasn't exactly straight forward enough for your average consumer product, but I managed to get my router running, with wireless, within a few hours.
OpenWRT comes with many optional packages you can load. I cannot vouch for any of them, but the base install is rock stable on my hardware. There is a file server package, where you can serve up USB based storage or share a USB printer, but I don't use either because I have a separate purpose built server for that kind of thing that runs OpenMediaVault NAS with a software raid array, though I think I'd recommend FreeNAS if you want a BSD based system to play with. Both are free for the price of the hardware.
Keep it simple, cheap and reliable.... Buy good hardware and all of the solutions I'm using will be very reliable and about as cheap as you can get.
OR...
Just go buy some industry standard router thingy (Cisco comes to mind) and learn how to use that. Skip all this other stuff.. I used to run a Cisco router as a border firewall, but I'll warn you that stuff gets pretty complex unless you already know how it works...
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Or just run Ubuntu.. or maybe Windows?
This is a terrible argument and totally against everything that drove me to Linux in the first place. If I don't like the way something works, I can and am encouraged to roll my own. Systemd is the culmination of this new mindset of "lets all just standardize so it's more presentable to the masses and business". Projects are becoming their own little ecosystems rather than a set of useful utilities that can be used somewhat independently. Gnome is kind of the extreme version of this, but everything seems to be heading in this direction, and now the core system functionality is becoming similar.
We are heading towards a Linux where doing your own thing is becoming less supported and discouraged, and this I find depressing. Sure we may actually have a year of the Linux desktop, but that desktop may as well be Windows.
No Question... pfSense or if you're good, why not go all out and just go with OpenBSD.
Sure you can. You can roll your own. You just have to do the job. Someone has to do it. And if the distributions are not interested in doing it, then someone else has to do it. It's really as simple as that. Don't expect other people to do stuff for you just the way you like it. They have their goals in mind too. You don't like where things are going, then fix it.
Plan B.
Just go and buy a used Cisco or Juniper router off of eBay or Craigslist.
At this point I'm far more inclined to jump ship to BSD (which to be honest feels very much like Linux did back before all this nonsense) and contribute my efforts to making it what I want. Neither is really what I want, but I feel at this point BSD is actually closer, and at least philosophically more aligned with what I'm looking for.
I'm not looking to exaggerate, but i do feel the BSD developer base is noticeably increasing for the same reason, having met many recent converts who all tell much the same story.
A lot of packages are gaining direct or indirect dependencies on systemd
Yes, because it does useful stuff that software needs.
Please explain what "useful stuff" it does that a graphics package like GIMP needs?
http://www.ubnt.com/products/#...
For $99 it's hard to beat:
http://www.ubnt.com/edgemax/ed...
http://www.amazon.com/EdgeRout...
Yes, because it does useful stuff that software needs.
That's certainly one possibility and we'll hope that it's true.
Of course, being a cynic, I could also posit the possibility that systemd is so intrusive that you can't plug-replace it and therefore all these systemd-controlled packages simply cannot opt out.
Sure you can. You can roll your own.
Yes, but there's a major difference between rolling your own application and rolling your own full distro.
When you have to throw out the baby just to get rid of the bathwater, that should be troubling.
tail /var/log/httpd/error_log
Okay, last ten lines is trivial. Any utility in other stuff like "show all logged events between 3:00 and 6:00 in other city's time zone"? Or "export all log events matching criteria in JSON format"?
Not a sysadmin, but seems interesting.
From the description "to migrate my homebrew router/firewall/samba server to one of the BSDs" it sounds like you need/want more than just a straight forward firewall. Based on that observation, I would go with FreeBSD. It has the largest install base, a great handbook, many online guides and a lot of helpful people on irc, etc.
If it were just the firewall alone you could make an argument for OpenBSD and while you can probably still do all the other stuff, you will probably be more frustrated when you run into problems. While I would like to recommend the red headed step child of NetBSD, been there, done that, only FreeBSD now.
There's another Debian fork without systemd that has already got a RC1 release: TRIOS, see https://translate.googleuserco... It's from Serbia and maybe they will join with Devuan. Looks pretty good to me!
Your only real choices are FreeBSD and OpenBSD.
OpenBSD if you're a security freak at the expense of everything else.
FreeBSD if you like performance, features, ports, a big user base, and are likely to grow in your needs from a single OS.
They're equally valid choices.
Everyone moving from Linux is welcome in BSD land.
You'll find life much simpler than dealing with all the Linux distributions and their mania of swapping out major subsystems every month for no reason.
Back in the day, and other than kernel crashes, Linux used to have a nice userland. Now it's just crammed full of bloatware, layers upon layers of useless abstraction. Such that if a real Unix admin wants to get real work done with a Linux, like for a serious deployment of hundreds to thousands of servers, they have to pick Arch or just roll their own LFS.
The sexy BSD daemons will lure you, their simplicty will keep you.
Why am I suppose to hate systemd? I frankly haven't noticed it at all until people started complaining here.
You will understand when something on a new system doesn't work and you have to fuck about for ages to find out what's going on because of the differences and features that are not implemented yet. Suddenly that experienced IT pro has to hit the books to get around what used to have a trivial solution because it's all different - hence anger.
It's just a case of unfinished software replacing something that was rock solid and "the way we always did it". Anger, embarrassment and blaming the new tool that doesn't quite do what the old one did are a common response to having it fuckup on you or trying to setup something non-standard that used to all just go in a trivial rc.local file. Now it's all different and the docs don't all exist yet.
So it's a reaction to hitting the rough edges of immature software and change in general.
I have to admit it pisses me off at times too but I'm getting used to it on some dev boxes and my home machine. I don't think it's ready for use everywhere yet, but it's the catch22 that without wide deployment it's never going to be ready for use everywhere. With more use, more developers and a more practical instead of empire building approach to the project (some developers want it to be an octopus with tentacles into everything instead of being an init system) it may become more useful and less annoying, even if some design choices appear to have been make on crack (eg. you don't want fucking binary logs to read on a system that's got stuck halfway to a usable environment).
That old fileserver with a bucketload of tiny disks that you can hammer on as much as you like to learn what to do with ZFS when things fuckup.
That other old fileserver for that stuff that people want to look at every now and again. Since all it has to do is saturate gigabit to get a file to one computer every now and again there's no performance advantage to buying something new.
Netbooks/Tablets. That's the most likely situation since 32 bit x86 machines to fill that role are still on sale.
Embedded systems / small form factor systems - some are x86 and are quite capable of being used as a quiet media PC using *BSD.
All BSD can do it. My favorite is NetBSD, and here is some documentation: on setting up IP filtering
Finding 3:00 to 6:DD in ANY file or device, not just a specific type of log:
grep '[3-6]:[0-9][0-9]
Note we've been doing it that way since the late seventies, so there's nothing for the sysadmins to learn. All files, disks, etc are searched with the same command, and the same one you've always used, on any *nix.
Aha! So I just need to start a new FUSE project which presents the binary logs as text. :-)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If it was me, then I'd just use Debian or Ubuntu Server and install sysvinit and remove systemd.
Relevant links:
How to remove systemd from Debian
Debian list post
I sort of had this moment in 2001, when I was about to compile a new kernel for my Linux system. There was a lot of new stuff I had to configure and almost all of it was marked as both "new" and "deprecated" at the same time. My guess at that time was that it was probably due to some bigger corporation wanting stuff only they use. So I just thought "fuck it" and installed NetBSD and I haven't looked back since.
And it honestly has made me more productive as well. I mean, while other people are on Youtube watching cats and what not I'm like "flash, what is that?".
On a more serious note, I have actually never looked back. I wanted something solid that I could work with and work on.
SOME of us are running Windows because that's what everything around us runs, and it "just works" with everything around us.
SOME of us are running linux because "just works" is too mainstream (troll) or because we have the time, inclination, and/or enjoy the challenge of making it work by-god precisely the way I want it.
SOME of us are waiting for the day when we don't have to hold our grandmother's hand and tell her how to compile software over the phone when stuff breaks on her otherwise 100% fabulous linux box we made for her. systemd is contrary to the One True Philosophy, yes. It is more Windows-y "pile of software for everything" yes. And sometimes you get tired of having to AVOID SOFTWARE to make a non-microsoft computer usable by the non-superuser. Not everyone absolutely must have small programs doing single things well because that's the way it should always be done.
There is a market for systemd and it is constantly growing. That you are not it, should not prevent you realizing this is probably the way of the future for people accustomed to GUIs and Windows' (perceived) way of "just always works" but who want to be rid of Microsoft.
If you don't like it, the solution may very well end up being "roll your own" - if not an entire computer worth, at least your contribution to a righteous Unix Philosophy-Compliant branch of something or other.
As a clever person who realizes that systemd is evil and poopy and probably an NSA conspiracy, I have to ask Slashdot: Just how evil and poopy is systemd?
Are you routing on custom hardware (e.g. a cheap router running OpenWRT)? Old Low-End PC? A basic current Intel box? Removable disks? USB Flash Stick? Mikrotik board?
Some hardware makes it really easy to switch operating systems. For instance, if you can run your router from a virtual machine (because your hardware is new enough), if you don't like it, or want something new, just shut down the VM and fire up a new one. If you only want to buy $50 worth of hardware, a Raspberry Pi has the advantage that the disk drive isn't built in, it's just an SD card, so if you want to change OS's you just pop the old one out and put in a new one.
Booting from a USB flash stick is probably the easiest choice for most Intel-based hardware. You can get 8GB for $5, set it up, boot from it, and if it's not doing what you want, remove it and reboot your old OS. Many Linux distros are quite friendly on USB sticks, and some BSDs are, though OpenBSD seems to be a bit harder to do that with (maybe that's a just problem with documentation, but it seems like Theo doesn't trust VMs or booting from USB instead of CD and hard drives.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Docker seems to be the new version of what people used to do with BSD jails. But VMs can give you more flexibility, if you're running hardware that can handle them (as opposed to running your home router/firewall/server on the old PC, and using your newer box for gaming or your laptop for work and browsing.) And there are router-oriented VMs like Vyatta out there.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"Some hard-core SystemD haters are still not happy"
Don't muddy the discussion with this sort of "it's a religious discussion" conversation tainting/ending crap.
The UNIX 'way' is well known, small sharp tools. The phrase is "UNIX doesn't have a monopoly on good ideas, it just has most of them" for us, and more importantly, it has served me well. Binary logs 'internally' is antithetical to the UNIX way, and isn't a step forward *for those of us that use 'sed' and 'grep'* as the quickest and most flexible indexing tools possible (for instance). I am one of those people. I don't care to ask systemd to tell me what happened to apache using it's queries, I know what query I want to issue.
This is *not* a religious discussion, and I resent systemd people painting it as such, and forcing the distributions to use Windows style 'Services' (your word) instead of UNIX style daemons (UNIX's word) is not what I want. I don't hate systemd at all, it just doesn't do what I need. Period. And don't ask "how are they forcing" again, that isn't helpful when I can't get just turn the package off and sysv init on.
I've written linux kernel drivers before
YOU !!!!!!!!1!1!!1one!1!
Gimp does not require systemd.
If you think that it does because installing gimp on Debian also install libsystemd, then that's because the Debian package maintainers have set libsystemd as a dependency to dbus; and gimp uses dbus.
And by the way, libsystemd is not an init system. It's a library.
I have run FreeBSD as a single and main home server since version 4.2 in the year 2000. I had experience from Slackware Linux, but when an admin friend of mine recommended FreeBSD, I fell in love because it's so easy and overviewable.
It all started when I needed a real router/firewall for my DSL connection. The available off-the-shelf routers in my price range were complete crap. I soon realized I could have it operating as a NAS as well, so that's what I've done.
The hardware has changed over time, so has the version numbers. But FreeBSD has been able to serve all my needs with very few problems.
Services running: firewall using PF ported from OpenBSD. DNS cache and local DynDNS resolver using BIND + isc-dhcpd. File sharing using Samba 3.6. Disk storage using ZFS raidz1 on 3 disks with GELI encryption layer. Simple web server using lighttpd. Ad blocking on network level using intercepting proxy Privoxy. FTP server. NFS file sharing.
I highly recommend FreeBSD. It's easy to learn, extremely powerful and stable and has lots and lots of available software.
As already suggested, you should put your fileserver on a separate machine. I'd definitely use OpenBSD on the router and firewall and probably FreeBSD on the fileserver since it has better filesystems (ZFS). That's not to say you cannot use OpenBSD as a fileserver. It has the necessary packages and with softraid you get redundancy and encryption (you cannot have both at the same time, though). There is a port of pf for FreeBSD but it's seriously outdated. A few other points; BSD man pages are well written and concise, use them. Configuration files for the base system, and many packages, comes with sane defaults so there's a minimum amount of screwing around to get things going. Enjoy.
The whole question strikes me as odd, but typical enough coming from a Linux user.
There are three major BSDs: FreeBSD, NetBSD and OpenBSD. Each of them have their homepages; freebsd.org, netbsd.org and openbsd.org, respectively. Each one has a well-designed, simple layout with a documentation link that's hard to miss. I suppose this is already uncommon for Linux folk, but more to the point - the documentation is very well written and maintained. Whichever you choose to install, man-pages on the system are equally high quality.
(No, you don't need to run around the Internet piecing together information from obscure text files and outdated HOWTOs or need to go source-diving to figure out undocumented options)
And to answer your question:
- All three BSDs have pf (packet filter), originating from OpenBSD. This is the simplest and most intuitive firewall out there. All three also come with integrated ALTQ support for QoS.
- FreeBSD has also it's native ipfw, which is considerably trickier to configure, but generally respected as the highest-performing firewall on the planet. And no, it doesn't use shady tricks like ignoring TCP sequence numbers to increase performance, unlike a certain Linux firewall solution is known to.
- All three run Samba and other common server software equally fine.
Essentially, with requirements you stated, you can't go wrong with any of the three.
This combination is worthy of a thorough evaluation. I've been using it for several years and have never looked back. Remember Heart Bleed? Pfsense had the patches within hours.
with jails and capsicum, yeah its no problem. its like running them in their own vms, only without the overhead
man pf.conf
Stop Computers/Cars Analogies on S
128 bit addresses are so wasteful and do not conform with the Unix Philosophy. Who needs a 64 bit subnet? That is way too many bits! IPV6 is needlessly complex. Dual stack? That will double the chances of failure! Unacceptable! Look at this kernel bug report from 2005. IPV6 is too unstable, a security risk! Why do we need IPV6 anyways, its planned obsolescence! IPV4 forever!
It might be helpful to know what linux distro you tend to use, because the type of distro may indicate which BSD variant you would be most comfortable with.
I have in times past run 3 of the original BSDs and all have (many) strengths and (a few) weaknesses.
I would generally recommend FreeBSD for the community and documentation. Ever since it adopted OpenBSD's PF firewall many years ago (which is wonderful), I have generally recommended FreeBSD for it's generally greater modern compatibility and larger community for anyone who isn't entirely hardcore into a particular BSD for particular reasons.
It's a bit superficial, but why not fire up some VMs with all OS's you may be interested in and give them an install to kick the wheels... get at least a bit of a feel for the thing.
I find it quite hysterical that one would be willing to switch a router to BSD simply because they have an irrational hatred systemd. Never mind that the routing functions are done via a MONOLITHIC KERNEL, via not a file system level which would be the proper Plan9, urm Unix(tm) way. Systemd has about as much to do with routing as libc, but expecting an anti systemd luddite to know how a linux system actually works is too much. They prefer throwing a tantrums like an autistic neckbeard man child.
So I've decided to migrate my homebrew router/firewall/samba server to one of the BSDs. Question one is: which BSD? Question two: where's some good documentation regarding setting up a home router/firewall on your favorite BSD? It's fine if the documentation is highly technical, I've written linux kernel drivers before :)
Technical enough to write linux kernel drivers, but incapable of using the Internet to figure out how to run a BSD router?
Use FreeBSD or its derivative appliance which is a dedicated firewall, PFSense.
Here is the FreeBSD handbook: https://www.freebsd.org/doc/handbook/
0) Okay, I agree that I should have phrased that differently. Note that I didn't use a pejorative phrase; I didn't say something like "morons too stupid to understand the greatness of SystemD" or whatever. I really only meant to say "some people who strongly disapprove of SystemD do not want it involved in logging at all."
1) I hope you didn't intend to lump me in with "systemd people" because I'm not one. I am an interested observer looking in from the outside. To the extent that I care about Linux and its future, I care about SystemD; I've been trying to understand how good or bad it is.
But the vast majority of the criticism I have read of SystemD has been just opinion-based flaming. To read most of the posts on Slashdot, there must not be anything good about SystemD and the people who choose it must be deluded or fools or something. I wanted to push past that and understand why smart people might not reject SystemD.
for those of us that use 'sed' and 'grep'
I'm quite skilled with grep so I can query plain-text files just fine, but I'm not opposed to SystemD making a binary log with an index for its own purposes.
If you set up rsyslog or whatever, you will still get a plain-text log file, and you have the option to simply ignore SystemD's own log file.
Windows style 'Services' (your word)
No, don't lump me in as a "systemd person". And don't assume that I'm your enemy or something.
And don't ask "how are they forcing" again, that isn't helpful when I can't get just turn the package off and sysv init on.
In Debian "jessie" you can do just that.
https://wiki.debian.org/systemd#Installing_without_systemd
lf(1): it's like ls(1) but sorts filenames by extension, tersely
FreeBSD hands down. /.
I've got detailed documentation that's rather outdated but still applicable.
The configuration is straight forward and the main packages are IPF, IPNAT, squid, snort, bind, sendmail and sshguard
I've used the documentation for as long as I've been on
To avoid corruption, one must remain dishonest.
If you are rolling your own why not just keep using init? You are not using a full dist I hope for firewall.
If you've written a Linux device driver, why are you asking us for anything?
You already know damn well how to do it and you know damn well why BSD isn't the right answer.
Go back into your mother's basement, and stay off my lawn.
I love how everyone is recommending FreeBSD for a router when is OpenBSD with the most advanced firewall and when FreeBSD firewall version is lagging behind openbsd...
Linux systemd is copy of Solaris SMF. Linux btrfs is a copy of Solaris ZFS. Linux systemtap is a copy of Solaris Dtrace. Linux docker is a copy of Solaris Containers. Linux Open vSwitch is a copy of Solaris crossbow. etc etc.
When will Linux do something new of their own?
Assert()
THEN: "Hey look at all the great tools here, let's spread them around and help everyone build cool stuff"
BUT: "$BigNastyTrinoplyIsEvil we must go forth and slay in the name of humanity"
NOW: "Build it and they will come"
Razor()
Competition 0x65: "Never allow your opponent to choose the terrain for conflict"
PS: by RSanna - I will go register as soon as I finish this thread, honest !
Ummmm, so now I have to be a least this wealthy for this ride? OhShhhhhhhh
Now Mozzilla, Adobe, and You tube get to tell me when to buy a new computer?
Sounds like a very slippery slope to me!
Yes the other 5%ers exist Virginia !!!
oops, sorry dbill I posted a nest too deeply.
ps: RSanna again -- I know, I know....... just hard to let some things slide (dangerous too, in today's mob mentality)
pfSense has a good team of people working on it. They just released v 2.2 based on FreeBSD 10.1. I have it running on an appliance and it has been rock solid for years.
As to your objections to pfsense:
1. Not learning anything because it takes no BSD knowledge to install.
- You can SSH into pfSense and drop to a terminal prompt; from there you can play around in BSD-land to your heart's content. I recently added a wireless card to my firewall and did some shell work on the system to get drivers installed and configured, etc. Very enlightening experience about BSD v. Linux.
2. Wanting to run file services.
- From the shell you can 'pkg install' anything in the BSD repos. I just checked on my system, Samba and various associated programs are available in the repo, just install and configure and you should be good to go. Need http services? I would install Nginx because of its speed and low memory footprint, but Apache is available as well.
One caveat, if you want to play around in BSD and you give pfSense another try, install the full version, not the embedded version, which limits installing packages, etc. The full version needs a HDD to install to, but it sounds like your homebrew solution is on an old PC or appliance hardware that supports HDD. If not, ignore this advice.
Whatever you decide, best of luck, I have been very happy with BSD as a firewall.