Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Operating Systems BSD

OpenBSD Packet Filter Ported To NetBSD, FreeBSD 48

honold writes "just read this on deadly.org (from Pyun YongHyeon): "Hello there. I have ported pf to FreeBSD 5.0 Currently it works well, though many nice features of pf not tested. I have ported to make FreeBSD users know there is an another excellent stateful packet filter with BSD license. URL is the following. ftp://ftp.kr.freebsd.org/pub/FreeBSD-kr/misc/pf_fr eebsd_0.3.tar.bz2 Thanks." netbsd has a port as well Where are you, Linux?"
This discussion has been archived. No new comments can be posted.

OpenBSD Packet Filter Ported To NetBSD, FreeBSD

Comments Filter:
  • "Where are you, Linux?" I'm not sure I understand the question; Linux has had packet filtering for years now...
    • Linux packet filtering is not as elegant as
      what OpenBSD has created.

      Sure it works, but it's much easier with pf.
      • Sure it works, but it's much easier with pf.

        Says the person who has not bothered to learn Linux Netfilter. I use both. My config files for both are equally easy to read and use.
        • Could you provide an example? Last time I set up a firewall on Linux, I had to use ipchains, which was baffling to no end. I gave up on any manual configuration and went with linuxconf.

          pf is practically configured in english, I actually know where the config file is, and I can easily understand it weeks later without digging through the man page again.

          I've taken a quick look around www.netfilter.org [netfilter.org], but the best I've seen is stuff like:
          iptables -t filter -A INPUT -d $PUBLIC -m state --state INVALID -j
        • Are you sure ? (see http://www.benzedrine.cx/pf.html for a nice 'TODO' list for netfilter/ipchains).

          Specific things which are 'killer apps' to me are the ease by which you can configure things like blocks/groups of ports, services, machines - and then re-use those in your cluster config or wider rules.

          This has safed us many hours of debugging downtime; and allows a much wider new range of 'new sysadmins to be' to deal with the simpler requests; such as adding a machine, service or port,

          As it is fairly

  • by ubiquitin ( 28396 ) on Tuesday March 25, 2003 @12:59PM (#5592295) Homepage Journal


    I'm going to take up the challenge here of explaining why this is interesting. Since November of 2002, OpenBSD's pf has had support for load balancing [deadly.org]. RedHat's $2499 Premium Edition [redhat.com] of their Enterprise distro features Piranha load balancing [redhat.com] which was derived from the Linux High Availability project [linux-ha.org].

    So what the OpenBSD pf project is giving you is enterprise-class high availability and load-balance clustering for a tiny fraction of the price. With a handful of cheap dotcom-throw-away x86 servers, a small company or mildly well-capitalized individual can personally build a multi-datacenter-fault-tolerant clustering setup that will rival Fortune 500 uptime ratings.

    In other words, the pf project's list of accomplishments [benzedrine.cx] is starting to read like a ToDo list for RedHat's Enterprise Linux development team.

  • *sigh* (Score:4, Interesting)

    by cperciva ( 102828 ) on Tuesday March 25, 2003 @01:19PM (#5592473) Homepage
    When porting pf was first proposed on the FreeBSD mailing lists, the general opinion was that it would be a Bad Idea. pf may be great, but having two firewalls built into FreeBSD has caused much confusion in the past.

    Remember, perfection comes not when there is nothing left to add, but when there is nothing left to take away.
    • Re:*sigh* (Score:3, Interesting)

      by smnolde ( 209197 )
      I use ipfw's DUMMYNET features for traffic shaping and queuing. I also use ipf and ipnat for the hardcore stateful packet inspection and kernel-level NAT. It works great.

      But when pf is fully ported with AltQ and tables, I'll only need one packet filter, not two.

      I think porting pf to FreeBSD is great. We'll have more options for packet filtering, queuing, bridging interfaces, etc.... besides, there's so much among the BSDs so this benefits everyone.
      • You would not happen to have a simple example of using dummynet along with ipf or know of a good starter doc? I have ipf and ipnat set up the way I like, but I would love to play around with the traffic shaping and queuing.

        That article about giving ARP's higher priority sparked my *need* for it. :)
        • try this: h tee tee pee //w ww.smnolde.com: 7080/ipfw/ipfw-queue-bw-only (munged to protect my cable connection)

          It's a script (that I wrote to do queuing and traffic shaping with DUMMYNEY. I used IPFW2 in the kernel. If you remove any references to esp, then you've got a good place to start.

          The script will queue tcp and udp, in, out, or in both directions. Give it a whirl.

          - Scott
          • Give it a whirl.

            Thank you. I will.

            P.S. You may want to also munge the link just under your name on each post if you want to protect you cable connection.
    • Re:*sigh* (Score:2, Interesting)

      by davet ( 13656 )
      Remember, perfection comes not when there is nothing left to add, but when there is nothing left to take away.
      But on the other hand:
      If all you have is a hammer, everything starts to look like a nail.

      On my part, I like the idea that there's more than one way to do something.

      • If all you have is a hammer, everything starts to look like a nail.

        Similarly, if all you have is *three* hammers, everything still looks like a nail.
  • by xA40D ( 180522 )
    I've been waiting for this for sooo long.

    Alas, it's lagging behind OpenBSD's PF

    From the TO DO section of the readme:

    merge new features from OpenBSD 3.3 pf
    - traffic shaping using ALTQ
    - load balancing between multiple routes
    - prevention up-link saturation for xDSL users
    • to be fair, 3.3 isn't out yet so the new features are still in current. Give it a little time and we will be rocking.

      A new perspective by having it running on other OSes should improve pf and make it better than it already is.
  • This may be a little offtopic as it applies to firewalls and not BSD, bear with me.

    Why all the different firewalls programs, do they function differently, perform different functions?
    Different target user or target networks?

    They all seem to be trying to do the exact same thing? Why the variety?

    • Re:Question (Score:3, Informative)

      by overbom ( 461949 )
      Yes, they differ in implementation and configurability. FreeBSD's default firewall, ipfw, is pretty easy to set up and configure, and it's pretty powerful. Darren Reed's ipfilter is arcane to set up and insanely powerful. From what I've heard of obsd's pf is that it's pretty easy to set up and insanely powerful.

      Most firewalls more or less do the same thing, but the devil is in the details. Some firewalls can do much more than others can, and that's why there are multiple firewalls available. For examp
      • So for a home network set-up, ipfw should be fine. It is when you want to get down and dirty you might choose ipfilter.
        • You got it. The thing that is neato-dandy about 'pf' is that it may be suitable for both home networks (ipfw) and down and dirty firewalling (ipfilter/ipf).
      • ipfilter is arcane to set up
        Whatever gave you that impression? Setting up IPFilter is very straightforward. The rules are modeled after spoken sentences - for example:
        pass out quick on le0 proto tcp/udp from any to any keep state
        What's arcane about that? If you can't figure out what that line is doing, you probably shouldn't be setting up a firewall anyway. pf's rule syntax is based on IPFilter's, and that's a Good Thing. Other than that, pf adds many new and improved features over IPFilter. By the way, Fr
        • I'm trying to simply address firewall questions to a kid that doesn't know firewalls -- I'm not trying to broadcast my genius here. My impression, having used ipfw on FreeBSD and ipf on Solaris is that ipfw is easier to use for this kid if he's just getting in to firewalls.

          Admit it, if he's not a genius with TCP/IP, seeing all the options for blocking on TCP headers are going to scare the heck out of him.
        • IPF / PF syntax is fairly easy to read, but nowhere near as clear as IPFW. Using your example:

          allow tcp from any to any via le0 keep-state
          allow udp from any to any via le0 keep-state
          (I'm not sure if IPFW supports multiple protocols on a single line.)

          I mean, does it get any closer to English than that??

There is no opinion so absurd that some philosopher will not express it. -- Marcus Tullius Cicero, "Ad familiares"

Working...