OpenBSD Packet Filter Ported To NetBSD, FreeBSD

honold writes "just read this on deadly.org (from Pyun YongHyeon): "Hello there. I have ported pf to FreeBSD 5.0 Currently it works well, though many nice features of pf not tested. I have ported to make FreeBSD users know there is an another excellent stateful packet filter with BSD license. URL is the following. ftp://ftp.kr.freebsd.org/pub/FreeBSD-kr/misc/pf_fr eebsd_0.3.tar.bz2 Thanks." netbsd has a port as well Where are you, Linux?"

Where are you, Linux?

[Rastor]

"Where are you, Linux?" I'm not sure I understand the question; Linux has had packet filtering for years now...

Re:Where are you, Linux?

[josepha48]

Then use netfilter.. its pretty nice... I'd agree it does change each release. But you can also use the old way still. 2.4.x has all 3 in it so you can pick which one you want to use. So while yes it has changed, it also has more options now (another point of view).

Also both FreeBSD and NetBSD have had for a while ipfilter, which is able to 'keep state'. So they already had stateful filtering. At least that's what I thought the 'keep state' keyword in ipf was supposed to do. In FreeBSD 4.? they introduced ipfirewall or ipfw. FreeBSD 5.0 has ipfw2 which does a great job at keeping state. Just use ipfw -d show and you see what is going through your firewall in the state table. Actual ip:port to ip:port listing. I wish it had something like ipfilters ipfstat -t command.

FreeBSD now has 3 choices as far as stateful packet filtering go, ipfilter, packet filter and ipfirewall. What really needs to be done is metrics on all these to show which is actually better under FreeBSD. Metrics that show performane as well as features. Also ease of understanding.

Re:Where are you, Linux?

[rsax]

From the IPF Howto [obfuscation.org]:

We want convenience and security in one. Lots of people do, that's why Ciscos have an "established" clause that lets established tcp sessions go through. Ipfw has established. Ipfwadm has setup/established. They all have this feature, but the name is very misleading. When we first saw it, we thought it meant our packet filter was keeping track of what was going on, that it knew if a connection was really established or not. The fact is, they're all taking the packet's word for it from

Re:Where are you, Linux?

[josepha48]

Hmmmm. ipfw has check-state, setup and established. Yes it does keep track of the state as it does have a state table. To see the state table in ipfw use ipfw -d show. To see the state tables in Linux you can look at the /proc filesystem. Not sure if iptables has an actual option for this. Under one of the /proc directories (can't remember which one) it has the state table of all the connections that the kernel knows about.

Truth is that if you want a secure system shutdown your unused services. Use key

Re:Where are you, Linux?

[TheLink]

AFAIK ipf keeps track of the tcp sequence and ipfw doesn't (it does track the tcp port numbers). So while ipfw2 does keep state, I'm not sure you could say it does a great job of it.

With ipfw you have to rely on the O/S getting the tcp sequence right. Which is probably not a problem.

With ipfw you have a certain degree of control when stateful rules are checked- on first stateful rule or on a check-state ruke. With ipf you don't - stateful rules are checked before all other rules. This means with ipf it is

Re:Where are you, Linux?

[Dan Ost]

Linux packet filtering is not as elegant as
what OpenBSD has created.

Sure it works, but it's much easier with pf.

Re:Where are you, Linux?

[Bishop]

Sure it works, but it's much easier with pf.

Says the person who has not bothered to learn Linux Netfilter. I use both. My config files for both are equally easy to read and use.

Re:Where are you, Linux?

[rabidcow]

Could you provide an example? Last time I set up a firewall on Linux, I had to use ipchains, which was baffling to no end. I gave up on any manual configuration and went with linuxconf.

pf is practically configured in english, I actually know where the config file is, and I can easily understand it weeks later without digging through the man page again.

I've taken a quick look around www.netfilter.org [netfilter.org], but the best I've seen is stuff like:
iptables -t filter -A INPUT -d $PUBLIC -m state --state INVALID -j

Re:Where are you, Linux?

[dirkx]

Are you sure ? (see http://www.benzedrine.cx/pf.html for a nice 'TODO' list for netfilter/ipchains).

Specific things which are 'killer apps' to me are the ease by which you can configure things like blocks/groups of ports, services, machines - and then re-use those in your cluster config or wider rules.

This has safed us many hours of debugging downtime; and allows a much wider new range of 'new sysadmins to be' to deal with the simpler requests; such as adding a machine, service or port,

As it is fairly

Re:Where are you, Linux?

[Strog]

It's out [freebsd.org]

5.0 was released 2 months ago. Even the /. editors know [slashdot.org]

Re:Where are you, Linux?

[Everlone]

He means the -STABLE branch of the 5.x series, not the tag for 5.0 Release (which would be the RELENG_5_0)

why this is interesting? think high availability

[ubiquitin]

I'm going to take up the challenge here of explaining why this is interesting. Since November of 2002, OpenBSD's pf has had support for load balancing [deadly.org]. RedHat's $2499 Premium Edition [redhat.com] of their Enterprise distro features Piranha load balancing [redhat.com] which was derived from the Linux High Availability project [linux-ha.org].

So what the OpenBSD pf project is giving you is enterprise-class high availability and load-balance clustering for a tiny fraction of the price. With a handful of cheap dotcom-throw-away x86 servers, a small company or mildly well-capitalized individual can personally build a multi-datacenter-fault-tolerant clustering setup that will rival Fortune 500 uptime ratings.

In other words, the pf project's list of accomplishments [benzedrine.cx] is starting to read like a ToDo list for RedHat's Enterprise Linux development team.

*sigh*

[cperciva]

When porting pf was first proposed on the FreeBSD mailing lists, the general opinion was that it would be a Bad Idea. pf may be great, but having two firewalls built into FreeBSD has caused much confusion in the past.

Remember, perfection comes not when there is nothing left to add, but when there is nothing left to take away.

Re:*sigh*

[smnolde]

I use ipfw's DUMMYNET features for traffic shaping and queuing. I also use ipf and ipnat for the hardcore stateful packet inspection and kernel-level NAT. It works great.

But when pf is fully ported with AltQ and tables, I'll only need one packet filter, not two.

I think porting pf to FreeBSD is great. We'll have more options for packet filtering, queuing, bridging interfaces, etc.... besides, there's so much among the BSDs so this benefits everyone.

Re:*sigh*

[Ded Bob]

You would not happen to have a simple example of using dummynet along with ipf or know of a good starter doc? I have ipf and ipnat set up the way I like, but I would love to play around with the traffic shaping and queuing.

That article about giving ARP's higher priority sparked my *need* for it. :)

Re:*sigh*

[smnolde]

try this: h tee tee pee //w ww.smnolde.com: 7080/ipfw/ipfw-queue-bw-only (munged to protect my cable connection)

It's a script (that I wrote to do queuing and traffic shaping with DUMMYNEY. I used IPFW2 in the kernel. If you remove any references to esp, then you've got a good place to start.

The script will queue tcp and udp, in, out, or in both directions. Give it a whirl.

- Scott

Re:*sigh*

[Ded Bob]

Give it a whirl.

Thank you. I will.

P.S. You may want to also munge the link just under your name on each post if you want to protect you cable connection.

Re:*sigh*

[davet]

Remember, perfection comes not when there is nothing left to add, but when there is nothing left to take away.

But on the other hand:
If all you have is a hammer, everything starts to look like a nail.

On my part, I like the idea that there's more than one way to do something.

Re:*sigh*

[cperciva]

If all you have is a hammer, everything starts to look like a nail.

Similarly, if all you have is *three* hammers, everything still looks like a nail.

Woot.

[xA40D]

I've been waiting for this for sooo long.

Alas, it's lagging behind OpenBSD's PF

From the TO DO section of the readme:

merge new features from OpenBSD 3.3 pf
- traffic shaping using ALTQ
- load balancing between multiple routes
- prevention up-link saturation for xDSL users

Re:Woot.

[Strog]

to be fair, 3.3 isn't out yet so the new features are still in current. Give it a little time and we will be rocking.

A new perspective by having it running on other OSes should improve pf and make it better than it already is.

Question

[Quill_28]

This may be a little offtopic as it applies to firewalls and not BSD, bear with me.

Why all the different firewalls programs, do they function differently, perform different functions?
Different target user or target networks?

They all seem to be trying to do the exact same thing? Why the variety?

Re:Question

[overbom]

Yes, they differ in implementation and configurability. FreeBSD's default firewall, ipfw, is pretty easy to set up and configure, and it's pretty powerful. Darren Reed's ipfilter is arcane to set up and insanely powerful. From what I've heard of obsd's pf is that it's pretty easy to set up and insanely powerful.

Most firewalls more or less do the same thing, but the devil is in the details. Some firewalls can do much more than others can, and that's why there are multiple firewalls available. For examp

Re:Question

[Quill_28]

So for a home network set-up, ipfw should be fine. It is when you want to get down and dirty you might choose ipfilter.

Re:Question

[overbom]

You got it. The thing that is neato-dandy about 'pf' is that it may be suitable for both home networks (ipfw) and down and dirty firewalling (ipfilter/ipf).

Re:Question

[dohcvtec]

ipfilter is arcane to set up
Whatever gave you that impression? Setting up IPFilter is very straightforward. The rules are modeled after spoken sentences - for example:
pass out quick on le0 proto tcp/udp from any to any keep state
What's arcane about that? If you can't figure out what that line is doing, you probably shouldn't be setting up a firewall anyway. pf's rule syntax is based on IPFilter's, and that's a Good Thing. Other than that, pf adds many new and improved features over IPFilter. By the way, Fr

Re:Question

[overbom]

I'm trying to simply address firewall questions to a kid that doesn't know firewalls -- I'm not trying to broadcast my genius here. My impression, having used ipfw on FreeBSD and ipf on Solaris is that ipfw is easier to use for this kid if he's just getting in to firewalls.

Admit it, if he's not a genius with TCP/IP, seeing all the options for blocking on TCP headers are going to scare the heck out of him.

Re:Question

[Quill_28]

kid? hmpf!

Re:Question

[overbom]

Heh. Sorry about that. I, uh, umm...

Quick, look over there! /poof of smoke /runs away

Re:Question

[phoenix_rizzen]

IPF / PF syntax is fairly easy to read, but nowhere near as clear as IPFW. Using your example:

allow tcp from any to any via le0 keep-state
allow udp from any to any via le0 keep-state
(I'm not sure if IPFW supports multiple protocols on a single line.)

I mean, does it get any closer to English than that??

Re:Question

[empath]

In pf:

pass in on le0 inet proto { tcp, udp } from any to any keep-state