OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
PF for FreeBSD 5.0
Contributed by jose on Tue Mar 25 14:14:00 2003 (GMT)
from the portable-guards dept.

Pyun YongHyeon writes:

"Hello there.

I have ported pf to FreeBSD 5.0 Currently it works well, though many nice features of pf not tested. I have ported to make FreeBSD users know there is an another excellent stateful packet filter with BSD license. URL is the following.

ftp://ftp.kr.freebsd.org/pub/FreeBSD-kr/misc/pf_freebsd_0.3.tar.bz2

Thanks."

Wow, this is pretty cool. I know that PF had been ported to NetBSD as well (as an LKM, without ALTQ), but I didn't know about this effort for FreeBSD. It's good to see that people are mixing up their options, and maybe they can contribute something back to OpenBSD's PF.

[topicpf2]

<< y Patches 013 and 026 address Kerb4 weakness | Reply | Flattened | Collapsed | OpenBSD 3.3 Available for Pre-Order >>

Threshold: Help

Related Links
more by jose


  iptables (mod -4/120)
by Anonymous Coward on Tue Mar 25 14:19:00 2003 (GMT)
  How does pf, and the other respective *bsd firewalls compare to iptables for linux?

From my short look into similaritis, it would appear iptables can do a bit more, and is a tad faster.

What are other readers experiences?

Please, no bitching/trolling, I was just after a technical comparison.



  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: iptables (mod 5/95)
by deekayen on Tue Mar 25 14:23:00 2003 (GMT)
  That's a silly question. IPTables authors are going to say theirs is better where Daniel Hartmeier will say otherwise with neither being wrong. Daniel did a benchmark once. Search through http://www.benzedrine.cx/pf.html
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: iptables (mod 1/97)
by miked512 (miked512@msn.com) on Tue Mar 25 15:27:00 2003 (GMT)
mailto:miked512@msn.com
  Well, from my studeies its all dependent on what you're trying to do. Deekayenon is right though, they're both better than the other in their own rights.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: iptables (mod 1/95)
by Anonymous Coward on Tue Mar 25 18:50:00 2003 (GMT)
  Performance is not an issue with the firewall. Security is. Linux's firewall does not do real stateful inspection for instance.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: iptables (mod -4/92)
by Anonymous Coward on Tue Mar 25 19:05:00 2003 (GMT)
  Performance *is* an issue. IPF cannot handle the same number of packets that PF can. That is a BFD* in my book.

*(BFD == Big F*cking Deal)
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

             
Re: iptables (mod 6/92)
by RC on Tue Mar 25 23:03:00 2003 (GMT)
  THe difference in performance between firewalls is nominal. The CPU power required for processing rules is nothing next to the CPU power required for the handling of interrupts on the network cards, unless you have a freaking monsterous ruleset. I'm surprised anyone would care about performance at all when you can get multi-gigahertz machines for less-than $300.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

               
Re: iptables (mod -3/95)
by Anonymous Coward on Wed Mar 26 12:48:00 2003 (GMT)
  When I have to get a new machine for IPF, vs using my current machine for PF, that is a BFD. CPU utilization is only one part of the equation, but new machines == money I could better spend elsewhere.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

               
Re: iptables (mod 3/89)
by Henning (henning@openbsd.org) on Thu Mar 27 13:49:00 2003 (GMT)
mailto:henning@openbsd.org
  IPFilter could not handle my load on a Duron 700/128MB/3x21143.
pf on the same machine handles twice the load nowadays with a peak of 12% CPU.

performance does not matter, eh? well, the performance difference between IPFilter and pf was the key between can use and impossible here.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: iptables (mod 11/97)
by Anonymous Coward on Wed Mar 26 15:32:00 2003 (GMT)
  do you have anything to back that statement up?

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

             
Re: iptables (mod -2/104)
by Anonymous Coward on Fri Jul 11 14:20:00 2003 (GMT)
  On the previous comment comparing "ipf" and "pf".

I have no personal experience using OpenBSD's "pf",
however, I have lots of experience with FreeBSD's
"ipfw" and I have also extensively used "ipf".

From my experienceces I have found that "ipf" is *significantly* slower than "ipfw". Although the
"ipf" syntax is simpler, it simply lacks a lot of
the features and functionality of "ipfw".

I am extremely interested in "pf" particularly for the "authpf" and "altq" features which are non-existent with "ipfw" -- there are some queuing tools, but nothing that can compare to OpenBSD's "altq".

Just my 2 cents.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: iptables (mod 1/95)
by Ben Johnson on Tue Mar 25 15:25:00 2003 (GMT)
 
IPF/PF are vasylt more sane to figgure out than iptables.

PF in particular, is a dream - port forwarding, filtering, cleaning and shapeing configured in one easy to use text file.

Also do conisder the whole environment, a default OpenBSD with PF will be more secure than a default Red Hat 8.1 with iptables. (In addition, the OpenBSD box will be more stable IMHO)

Just like Linux is great for latest released of desktops, browsers and office suites, OpenBSD is great for firewalls, authentication and stability.

The both have their place.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: iptables (mod 7/97)
by Piero Leonardo Rodrigues (piero@irapida.com.br) on Tue Mar 25 17:15:00 2003 (GMT)
www.irapida.com.br
  Like Ben Johnsonon says: The both have their place.

iptables have some things which doesn't exist on pf , like the log schema, more advanced than pf.
But for security, firewall and enjoy :) .. I preffer OpenBSD + pf
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: iptables (mod 0/100)
by Anonymous Coward on Tue Mar 25 22:37:00 2003 (GMT)
  iptables have some things which doesn't exist on pf,

Name some usefull features which iptables provides and PF does not.

like the log schema, more advanced than pf.

What is wrong with pflog? Logging everything in a pcap file is incredible (being able to use tcpdump, ethereal, snort, ... on your log files).
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: iptables (mod -2/102)
by Sherrod (sherrod@girlvinyl.com) on Tue Mar 25 17:06:00 2003 (GMT)
http://girlvinyl.com
  IPtables, [and especially upgrading from IPchains] in my experience is just a big mess to deal with. One of my favourite things about OpenBSD is that it has a surpremely easy syntax for writing your pf rules. It looks almost like plain english - no confusion.

Plus you can add NAT with one line.
:]
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: iptables (mod 7/93)
by Anonymous Coward on Tue Mar 25 17:17:00 2003 (GMT)
  FreeBSD's IPFW2 is by far the fastest, no comparison, but I think the design and features of PF is the best.
IPtables are a mess, typical GNU and Linux style, performance is on pair with IP.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: iptables (mod 3/95)
by Anonymous Coward on Tue Mar 25 18:40:00 2003 (GMT)
 
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: iptables (mod -2/96)
by Alejandro G. Belluscio (baldusi@hotmail.com) on Tue Mar 25 18:43:00 2003 (GMT)
mailto:baldusi@hotmail.com
  Just for a start pf does true TCP sequence stateful inspection. Linux IPTables does not. What they call "statefull inspection" is more of a "kind of get the same result most of the time". Because they wanted to be able to keep states between reboots. PF will solve this differently in 3.4 (look for /dev/pfsync ;-).
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: iptables (mod -13/95)
by Steph L (Stephane.Lentz@ansf.alcatel.fr) on Tue Mar 25 21:02:00 2003 (GMT)
mailto:Stephane.Lentz@ansf.alcatel.fr
  I thought that IPTABLES did stateful inspection (http://www.sns.ias.edu/~jns/security/iptables/
mentions it does for instance).
Are you sure.

In some Linux French Magazine some guy mentionned
in some IPTABLES/NETFILTER vs PF comparison that :
- PF lacks some modules to follow some connections that Netfilter offers.
Example: IRC module (for DCC traffic)
- PF lacks fronts-end (IPTABLES offer many)
- PF lacks load-balancing

He mentions that add-ons such as authpf, normalization are really valuable.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: iptables (mod -14/104)
by Dries Schellekens on Tue Mar 25 22:30:00 2003 (GMT)
  I thought that IPTABLES did stateful inspection (http://www.sns.ias.edu/~jns/security/iptables/ mentions it does for instance).
Are you sure.


According to tcp-window-tracking still is a patch and enabled by default.

In some Linux French Magazine some guy mentionned in some IPTABLES/NETFILTER vs PF comparison that :
- PF lacks some modules to follow some connections that Netfilter offers.
Example: IRC module (for DCC traffic)


Look at ports net/tircproxy

- PF lacks fronts-end (IPTABLES offer many)

There exist plenty of GUIs to create PF rules: fwbuilder , WallFire , SOFI , ... (lots of tools are listed on Daniel's website )

- PF lacks load-balancing

This is one of the new feature in OpenBSD 3.3.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

             
Re: iptables (mod 12/100)
by Dries Schellekens on Tue Mar 25 22:32:00 2003 (GMT)
  According to tcp-window-tracking still is a patch and enabled by default.
Clearly this should be not enable by default.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: iptables (mod -6/96)
by RC on Tue Mar 25 22:50:00 2003 (GMT)
 

What is "follow some connections" supposed to mean?

PF needs no front-end, it is an incredibly elegant syntax, and probably easier to learn the syntax than to learn a front-end... Besides, I have heard of one front-end for PF, I have no doubt there are more.

PF certainly has load-balancing.

In addition to authpf, and normalization, PF has a modulate state option, very good performance, and all sorts of features are being added... practically daily.

I can't say any more about the differences, because I haven't used any non-OpenBSD options in quite some time.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: iptables (mod 5/95)
by Alejandro Belluscio (baldusi@hotmail.com) on Wed Mar 26 16:59:00 2003 (GMT)
mailto:baldusi@hotmail.com
  Even though its got a "stateful inspection" it's not a theoretically perfect adherence to the standards. With ICMP and UDP it's the same as PF, but on TCP it doesn't correctly uses the sequence number window. Someone else has written here that there's a patch around. But it's not a default option. In ay case is not a tested as PF.
Regarding the connection tracking, PF might have a fewer modules. But consider protocols that don't work with NAT brain dead (you can't really defend FTP, and the SIP cometee is unforgivable, but surely it was made on purpose).
Besides it has modulationof state and rendomization of IP IDs. This means a real increase in security.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: iptables (mod -4/94)
by Anonymous Coward on Wed Mar 26 12:38:00 2003 (GMT)
  Why would anyone want to save the states between reboots?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: iptables (mod 1/97)
by Anonymous Coward on Wed Mar 26 01:15:00 2003 (GMT)
  disconnection of instant messengers!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

             
Re: iptables (mod 2/102)
by thebiMbo on Wed Mar 26 08:50:00 2003 (GMT)
  ROFL!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: iptables (mod 6/92)
by Dries Schellekens on Wed Mar 26 21:05:00 2003 (GMT)
  Yes, this seems quite useless. PF is able to pick up existing connections when using keep state ; of course modulate state will not work, because the ISN modulation will be lost between reboots (this is described in pf.conf(5) .

pfsync(4) will only be interesting in case of failover; but a good failover mechanism (VRRP) is lacking because of patent stuff.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: iptables (mod 3/89)
by Lennie (leen@wirehub.nl) on Wed Apr 9 18:22:00 2003 (GMT)
mailto:leen@wirehub.nl
  Actually, I personally think it's more usefull if you have a cluster of firewall's.

I have not seen any (non-commercial) firewall (pf, iptables and 'friends') who can replicate or distribute connection-tracking.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

             
Re: iptables (mod -3/97)
by Lennie (leen@wirehub.nl) on Wed Apr 9 18:56:00 2003 (GMT)
mailto:leen@wirehub.nl
  OK, they are working on it for pf and there used to be a mailinglist dedicated on figuring out how to do it for netfilter/iptables, they didn't agree and didn't do much work on it.

So I stand corrected, if some1 wants to comment on my comment. :-)
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

               
Re: iptables (mod 3/91)
by Lennie (leen@wirehub.nl`) on Wed Apr 9 19:29:00 2003 (GMT)
mailto:leen@wirehub.nl`
  wrong again, there are people working at it, the kernel interface for iptables/netfilter is actually there... there is a patch in patch-o-matic: ctnetlink or nfnetlink
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: iptables (mod -4/96)
by Anonymous Coward on Wed Mar 26 12:51:00 2003 (GMT)
  I can do that with PF too.

"Pass out keep state". Done.

Doesn't mean that is a good idea, but it is possible. I've heard rumors that PF will support sharing state over a backbone end, and that will be super cool. (For fail-over firewalls)
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: iptables (mod 3/93)
by Anonymous Coward on Wed Mar 26 03:26:00 2003 (GMT)
  Let's just say you'll never hear "well, I'd love to use *BSD, but I just can't live without IPTables!"

IPF and PF make more sense to myself personally. Some people prefer the more command-oriented (as opposed to file-oriented) rule style of IPFW and IPTables. In IPF/PF, you just edit a file with your rules, and can change the state of the firewall with a control utility. With IPTables and IPFW, you add/change/delete rules with the same utility, often through a shell script or some such. I'd go for IPFW over IPTables, since

- it runs under FreeBSD
- its syntax isn't a horrible mess of command-line arguments.

I haven't run into anything that I can do with Linux/IPTables that I can't do with the alternatives.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: iptables (mod -1/95)
by Anonymous Coward on Wed Mar 26 21:36:00 2003 (GMT)
  > Let's just say you'll never hear "well, I'd love to use *BSD, but I just can't live without IPTables!"


ROFL!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: iptables (mod 6/96)
by Anonymous Coward on Wed Mar 26 06:06:00 2003 (GMT)
  Iptables is hard to configure compared to IPF or PF. Long options, you have to run their program in order to set each rule (iptables this, iptables that). Plus for bandwidth control you need other separate tools which are even more obscure.

IPF and PF are very easy to figgure out. PF also has very useful additional features. If you want to add some temporary rules you just invoke `ipf -f -' and write your rules, the ctrl+c. This is just beautiful! And ALTQ has a very easy to understand, sane configuration fime compared to those Linux tools.

Don't get me wrong. I am using Linux mostly for the desktop and FreeBSD on servers. Both work fine. I just hate iptables syntax.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: iptables (mod 0/86)
by Anonymous Coward on Thu Mar 27 00:20:00 2003 (GMT)
  one thing that sucks about it is that does doesnt work right when nating for a bunch of games such as STARCRAFT and sometimes with Quake . It used to work with Quake for me before it was PF, but now that I am using PF, it doesnt work. About every year, I test both a linux 2.2 machine with the old ipchains and with a new openbsd box, but openbsd always messed up the gmaes with NAT, but the old linx box works always. This is one of the only things I can't fix( there are a bunch of gamers inside one of my networks!!!!)
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: iptables (mod 2/100)
by Dries Schellekens on Wed Mar 26 20:56:00 2003 (GMT)
  Use static-port on your nat rules (this is a new feature in 3.3). From pf.conf(5) : With nat rules, the static-port option prevents pf(4) from modifying the source port on tcp and udp packets. This should fix most broken applications (nat ignorant), like games.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: iptables (mod 3/97)
by Anonymous Coward on Wed Mar 26 22:39:00 2003 (GMT)
  Thanks for the info!!!!!!!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: iptables (mod 3/97)
by Anonymous Coward on Wed Mar 26 21:32:00 2003 (GMT)
  I've used iptables, ipchains, ipf and pf. I'll take *pf over the Linux alternatives. When it comes right down to it, pf is easier and more powerful. Why don't you actually try to use both and then come back and post. You must have been on crack during your "short look into similarities".
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  YES (mod 2/108)
by miked512 (miked512@msn.com) on Tue Mar 25 15:28:00 2003 (GMT)
mailto:miked512@msn.com
  YES, I'VE BEEN WAITING ON THIS!!!!!!

Not like I don't use OpenBSD or anything. ;-)
I hope it works well.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: YES (mod 1/101)
by Anonymous Coward on Tue Mar 25 19:45:00 2003 (GMT)
  I think this'll be GREAT! I hope bridging with PF will work; unlike IPF with bridging which didn't filter bridged frames (the main thing that made me switch to OpenBSD long ago.)

Will they import this into FreeBSD or will it be a seperate thing?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: YES (mod 1/99)
by Anonymous Coward on Tue Mar 25 21:31:00 2003 (GMT)
  ipfw filters on bridges just fine...ipfw2 added a bunch more features to it as well.

i have a freebsd server with 2 4-port nics running 4 independent bridges here using ipfw1 (lkm) to filter out multicast
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: YES (mod 2/100)
by Anonymous Coward on Tue Mar 25 23:40:00 2003 (GMT)
  That's IPFW, I meant that IPF didn't do it and wondering if PF will now do it?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

             
Re: YES (mod 0/96)
by Anonymous Coward on Thu Mar 27 00:20:00 2003 (GMT)
  PF always worked on a bridge! A lot of people are using it and there exist a number of documents describing how to set it up: HOWTO: Transparent Packet Filtering with OpenBSD , OpenBSD Bridging Firewall Configuration , ...
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

               
Re: YES (mod 0/96)
by Anonymous Coward on Wed Mar 26 19:51:00 2003 (GMT)
  ok, here goes again...

I'm still refering to FreeBSD 5.0 with pf and bridging; not OpenBSD. I use OpenBSD for this and I swear by it. Like I originally said, I wonder if pf will support filtering bridged packets (in FreeBSD 5.0) because I know for a fact, IPF didn't, only IPFW did.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

                 
Re: YES (mod 3/97)
by Anonymous Coward on Thu Mar 27 17:28:00 2003 (GMT)
  this was a 'darren' restriction

he put up a patch to make it work which was like 8 lines of code on the ipf mailing list. i never tried it.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

               
Re: YES (mod -5/95)
by Hendrik Scholz (hscholz@raisdorf.net) on Fri Mar 28 20:08:00 2003 (GMT)
http://www.raisdorf.net/
  Just for completeness: ipf can do the same trick as described on http://www.raisdorf.net/bridge
I cannot compare the two as I'm running ipf on most systems.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

                 
Re: YES (mod 1/95)
by Anonymous Coward on Fri Mar 28 20:26:00 2003 (GMT)
  Thanks!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Kewl, now there's really no reasons to use OpenBSD (mod -1/105)
by Hiya on Tue Mar 25 15:49:00 2003 (GMT)
  ....
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: Kewl, now there's really no reasons to use Ope (mod 6/100)
by uNF on Tue Mar 25 18:50:00 2003 (GMT)
  Or reason for you to troll on deadly.org.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: Kewl, now there's really no reasons to use Ope (mod 0/102)
by Anonymous Coward on Tue Mar 25 19:58:00 2003 (GMT)
  I guess someone likes patching up the yin yang daily...
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: Kewl, now there's really no reasons to use Op (mod 0/98)
by earx on Tue Mar 25 21:55:00 2003 (GMT)
  No reason to have a brain too
go for the war ?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: Kewl, now there's really no reasons to use Ope (mod 1/101)
by Anonymous Coward on Tue Mar 25 22:21:00 2003 (GMT)
  two words: swiss cheese.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: Kewl, now there's really no reasons to use Ope (mod 4/92)
by Anonymous Coward on Tue Mar 25 22:42:00 2003 (GMT)
  Look everyone!....

(points, stares)

a troll...a real, honest to god TROLL!!!!!

...

We now return to our regular scheduled programming.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  btw (mod 5/101)
by netchan (deadly@netchan.cotse.net) on Tue Mar 25 16:09:00 2003 (GMT)
mailto:deadly@netchan.cotse.net
  "battle of the firewalls"

http://www.openbsdforums.org/forums/showthread.php?threadid=7266&ref_=fr
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: btw (mod -1/95)
by ^ESN^ on Tue Mar 25 21:37:00 2003 (GMT)
  Well i just LOVE the idea of Haveing PF in FBSD..

this can make me a even more happy user op FreeBSD
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  wow (mod 5/115)
by jose on Tue Mar 25 22:36:00 2003 (GMT)
http://monkey.org/~jose/
  silly me .. last two stories got no comments, i wondered "did i break commenting?" lucky for us flameSubmit.php3 err ... commentSubmit.php3 is still up and running.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: wow (mod 3/91)
by Anonymous Coward on Wed Mar 26 12:12:00 2003 (GMT)
  lol. no replies on two stories was awkward. technical discussion usually draws no attention. tech@openbsd.org being a key example.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  What do you mean "another"? (mod 3/107)
by Anonymous Coward on Tue Mar 25 22:50:00 2003 (GMT)
  Maybe a nitpick, but I think it's an important one for those that might care about licenses on their projects or commercial endeavors, although I could be wrong in my impressions of the licensing situation...

I was under the impression that IPF is not under a BSD or X like license.

PF is under the BSD license for sure. IPF is, or at least was, not--one of the reasons PF had to be developed is that IPF did not adhere to the BSD license. IPF's creator, Reed, would not change it. Also why IPF was removed entirely from OBSD default.

Unless Reed changed the IPF license, something only he can do due to copyright, and last I heard Reed was saying (but wasn't doing) he would make the license adaptable and favorable to those he liked (which totally sidesteps the point of a BSD license; but maybe for FreeBSD folks, it is under a true BSD license), what other firewall besides PF is both stateful and under a true BSD (or X like) license?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: What do you mean (mod 6/92)
by Anonymous Coward on Wed Mar 26 12:23:00 2003 (GMT)
  read and decide:

Copyright (C) 1993-2002 by Darren Reed.

The author accepts no responsibility for the use of this software and
provides it on an ``as is'' basis without express or implied warranty.

Redistribution and use, with or without modification, in source and binary
forms, are permitted provided that this notice is preserved in its entirety
and due credit is given to the original author and the contributors.

The licence and distribution terms for any publically available version or
derivative of this code cannot be changed. i.e. this code cannot simply be
copied, in part or in whole, and put under another distribution licence
[including the GNU Public Licence.]

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.

I hate legalese, don't you ?

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: What do you mean (mod 1/101)
by tedu on Wed Mar 26 01:35:00 2003 (GMT)
  that means you can't sell it. selling it under a typical commercial license (must buy one copy per use, or can't resell to others) would involve changing the terms.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: What do you mean (mod 0/96)
by Anonymous Coward on Wed Mar 26 07:46:00 2003 (GMT)
  The license only restricts the licensing of the source, not the binaries. You can make commertial programs with the source as long as the code remains under this license.
In essence, it's developed to garantee the freedom of developers, infact, I think this is the best license I've seen; becuase, 1, it makes it possible to make money of the software and also keeping to code to oneself, unlike GNU crap I might add, and 2, guarantee that any code released to public can be incorperated back into IPF.

This is a perfect for all parties. Personally, I'm with the 4 clausul BSDL or public domain, but this should be a valuable asset in battleing GNU's continuing ripping BSD code and not contributing it back.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

             
Re: What do you mean (mod -4/94)
by Anonymous Coward on Wed Mar 26 10:08:00 2003 (GMT)
  Hello Mr Reed :)
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

             
Re: What do you mean (mod -1/97)
by Anonymous Coward on Thu Mar 27 04:01:00 2003 (GMT)
  You are not a copyright lawyer or even someone who pretends to be one, or if you got advice from one, he was high, down, drunk (that's one, the other, or both depending on his brain pathways and alcohol consumption) or mentally fubar'd.

Copyright law, at least in the US, gives certain rights which, if not explicitly stated via license or sale or contract or whatever (e.g. all rights reserved actually no longer needed because all rights reserved is a given under present law), the copyright holder retains.

Such categories include use, distribution, and copying. You can grant none, all, or some combination of them (e.g. a bookstore has the right to distribution of the original copy (and right of first sale allows them to sell used or previously sold copies) but doesn't not have the right to photocopy and then sell that photocopy).

Knowing this, read the IPF license. Compare to other licenses. What's Reed's license missing? Yup.

If you missed it, the utterly funny thing about the license that is so obtusely obvious is that it does not give you the right to copy. Again, you can't "assume" intent under the law--copyright holders gain the benefit of the doubt. Redistribution is distribution rights, which is NOT the same as copying (e.g. a library distributes, a bookstore distributes via sale, a bookstore does not copy). Use is code use (running on your machine), which is needed.

But there is no right to copy granted by the license. Hello? Who wrote this crap? Plainly not BSD.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: What do you mean (mod 0/98)
by jolan on Wed Mar 26 12:44:00 2003 (GMT)
  By another, he means there's ipfw/ipfw2/ipf.. and now another packet filter.. pf.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: What do you mean (mod 5/97)
by Anonymous Coward on Fri Mar 28 17:00:00 2003 (GMT)
 
IPFW2 is both under the BSDL and stateful.

It's part of FreeBSD 5.0 onwards.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  No Subject Given (mod 4/112)
by Anonymous Coward on Thu Mar 27 03:08:00 2003 (GMT)
  *yawn* IPtables suck shit. I used it before I switched to oBSD IPF and then PF it was painful; it requires extensive testing to see if the obscure syntax worked the way I intended. Just like Linux it is a kludge with all kinds of useless shit in the kernel.

Where do I request my coffee-webcam protocol in IPTables? I need this in kernel space because it needs to be high performance.

If you like iptables you have not done your research and are likely a how-to user. You probably don't understand IP either.

Oh and for the gamers out there. See previous paragraph; I can, and have, made all games work that I tried.

Go Daniel, PF rocks!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: No Subject Given (mod 5/93)
by Anonymous Coward on Thu Mar 27 09:46:00 2003 (GMT)
  elitist fool.

[i]If you like iptables you have not done your research and are likely a how-to user. You probably don't understand IP either.[/i]

This is like saying if you like opebsd you obviously don't know that much cause freebsd is better.


" it requires extensive testing to see if the obscure syntax worked the way I intended."

Well, don't blame others if you can't write decent iptables rulesets.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: No Subject Given (mod -4/94)
by Anonymous Coward on Fri Mar 28 01:20:00 2003 (GMT)
  You are a moron.
You do not understand IP.
You use how-to's.

It's ok you can admit it.

Oh, and FreeBSD is a wonderful OS. Linux isn't.

It's good to be elite.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: No Subject Given (mod 3/95)
by Anonymous Coward on Fri Mar 28 07:11:00 2003 (GMT)
  Much as I might agree with some of your sentiments, to me you sound 31337, not elite.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: No Subject Given (mod 3/97)
by The Mighty Fool (202.156.2.82) on Sat Jan 15 11:15:55 2005 (GMT)
  > This is like saying if you like opebsd you obviously don't know that > much cause freebsd is better. OTOH... that could really be like saying, if u like eating faeces, you obviously don't know that much cos food is definitely better. >> it requires extensive testing to see if the obscure syntax worked the >> way I intended. > > Well, don't blame others if you can't write decent iptables rulesets. i have to agree with you on this one. And that is why, today, i am still using a flip-switch to do all my interfacing and programming with my computer - instead of using my keyboard, or mouse. I don't blame the machine if i can't write decent binary (not mnemonic) assembly. The tool does not truly matter!!!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: No Subject Given (mod 1/95)
by The Mighty Fool (202.156.2.82) on Sat Jan 15 11:22:35 2005 (GMT)
  sorry!!! i apparently missed out something while in the midst of doing all that interfacing with my flip switch. I apologize for that. It is my own fault. (see, i don't blame the tool).

This is originally what i meant to display, properly formatted...:

> This is like saying if you like opebsd you obviously don't know that
> much cause freebsd is better.

OTOH... that could really be like saying, if u like eating faeces, you obviously don't know that much cos food is definitely better.

>> it requires extensive testing to see if the obscure syntax worked the
>> way I intended.
>
> Well, don't blame others if you can't write decent iptables rulesets.

i have to agree with you on this one. And that is why, today, i am still using a flip-switch to do all my interfacing and programming with my computer - instead of using my keyboard, or mouse. I don't blame the machine if i can't write decent binary (not mnemonic) assembly. The tool does not truly matter!!!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  What will Darren do? (mod 11/105)
by Jae (jaeyun@dds.nl) on Sat Mar 29 19:27:00 2003 (GMT)
mailto:jaeyun@dds.nl
  When ipf will be replaced in FreeBSD and NetBSD, will Darren be forking ISO's for them as well?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]