OpenBSD Journal

PF for FreeBSD 5.0

Contributed by jose on from the portable-guards dept.

Pyun YongHyeon writes:
"Hello there.

I have ported pf to FreeBSD 5.0 Currently it works well, though many nice features of pf not tested. I have ported to make FreeBSD users know there is an another excellent stateful packet filter with BSD license. URL is the following.

ftp://ftp.kr.freebsd.org/pub/FreeBSD-kr/misc/pf_freebsd_0.3.tar.bz2

Thanks."

Wow, this is pretty cool. I know that PF had been ported to NetBSD as well (as an LKM, without ALTQ), but I didn't know about this effort for FreeBSD. It's good to see that people are mixing up their options, and maybe they can contribute something back to OpenBSD's PF.

(Comments are closed)


  1. By Anonymous Coward () on

    How does pf, and the other respective *bsd firewalls compare to iptables for linux?

    From my short look into similaritis, it would appear iptables can do a bit more, and is a tad faster.

    What are other readers experiences?

    Please, no bitching/trolling, I was just after a technical comparison.



    1. By deekayen () on

      That's a silly question. IPTables authors are going to say theirs is better where Daniel Hartmeier will say otherwise with neither being wrong. Daniel did a benchmark once. Search through http://www.benzedrine.cx/pf.html

      1. By miked512 () miked512@msn.com on mailto:miked512@msn.com

        Well, from my studeies its all dependent on what you're trying to do. Deekayenon is right though, they're both better than the other in their own rights.

      2. By Anonymous Coward () on

        Performance is not an issue with the firewall. Security is. Linux's firewall does not do real stateful inspection for instance.

        1. By Anonymous Coward () on

          Performance *is* an issue. IPF cannot handle the same number of packets that PF can. That is a BFD* in my book.

          *(BFD == Big F*cking Deal)

          1. By RC () on

            THe difference in performance between firewalls is nominal. The CPU power required for processing rules is nothing next to the CPU power required for the handling of interrupts on the network cards, unless you have a freaking monsterous ruleset. I'm surprised anyone would care about performance at all when you can get multi-gigahertz machines for less-than $300.

            1. By Anonymous Coward () on

              When I have to get a new machine for IPF, vs using my current machine for PF, that is a BFD. CPU utilization is only one part of the equation, but new machines == money I could better spend elsewhere.

            2. By Henning () henning@openbsd.org on mailto:henning@openbsd.org

              IPFilter could not handle my load on a Duron 700/128MB/3x21143.
              pf on the same machine handles twice the load nowadays with a peak of 12% CPU.

              performance does not matter, eh? well, the performance difference between IPFilter and pf was the key between can use and impossible here.

        2. By Anonymous Coward () on

          do you have anything to back that statement up?

          1. By Anonymous Coward () on

            On the previous comment comparing "ipf" and "pf".

            I have no personal experience using OpenBSD's "pf",
            however, I have lots of experience with FreeBSD's
            "ipfw" and I have also extensively used "ipf".

            From my experienceces I have found that "ipf" is *significantly* slower than "ipfw". Although the
            "ipf" syntax is simpler, it simply lacks a lot of
            the features and functionality of "ipfw".

            I am extremely interested in "pf" particularly for the "authpf" and "altq" features which are non-existent with "ipfw" -- there are some queuing tools, but nothing that can compare to OpenBSD's "altq".

            Just my 2 cents.

    2. By Ben Johnson () on


      IPF/PF are vasylt more sane to figgure out than iptables.

      PF in particular, is a dream - port forwarding, filtering, cleaning and shapeing configured in one easy to use text file.

      Also do conisder the whole environment, a default OpenBSD with PF will be more secure than a default Red Hat 8.1 with iptables. (In addition, the OpenBSD box will be more stable IMHO)

      Just like Linux is great for latest released of desktops, browsers and office suites, OpenBSD is great for firewalls, authentication and stability.

      The both have their place.

      1. By Piero Leonardo Rodrigues () piero@irapida.com.br on www.irapida.com.br

        Like Ben Johnsonon says: The both have their place.

        iptables have some things which doesn't exist on pf , like the log schema, more advanced than pf.
        But for security, firewall and enjoy :) .. I preffer OpenBSD + pf

        1. By Anonymous Coward () on

          iptables have some things which doesn't exist on pf,

          Name some usefull features which iptables provides and PF does not.

          like the log schema, more advanced than pf.

          What is wrong with pflog? Logging everything in a pcap file is incredible (being able to use tcpdump, ethereal, snort, ... on your log files).

    3. By Sherrod () sherrod@girlvinyl.com on http://girlvinyl.com

      IPtables, [and especially upgrading from IPchains] in my experience is just a big mess to deal with. One of my favourite things about OpenBSD is that it has a surpremely easy syntax for writing your pf rules. It looks almost like plain english - no confusion.

      Plus you can add NAT with one line.
      :]

    4. By Anonymous Coward () on

      FreeBSD's IPFW2 is by far the fastest, no comparison, but I think the design and features of PF is the best.
      IPtables are a mess, typical GNU and Linux style, performance is on pair with IP.

    5. By Anonymous Coward () on

    6. By Alejandro G. Belluscio () baldusi@hotmail.com on mailto:baldusi@hotmail.com

      Just for a start pf does true TCP sequence stateful inspection. Linux IPTables does not. What they call "statefull inspection" is more of a "kind of get the same result most of the time". Because they wanted to be able to keep states between reboots. PF will solve this differently in 3.4 (look for /dev/pfsync ;-).

      1. By Steph L () Stephane.Lentz@ansf.alcatel.fr on mailto:Stephane.Lentz@ansf.alcatel.fr

        I thought that IPTABLES did stateful inspection (http://www.sns.ias.edu/~jns/security/iptables/
        mentions it does for instance).
        Are you sure.

        In some Linux French Magazine some guy mentionned
        in some IPTABLES/NETFILTER vs PF comparison that :
        - PF lacks some modules to follow some connections that Netfilter offers.
        Example: IRC module (for DCC traffic)
        - PF lacks fronts-end (IPTABLES offer many)
        - PF lacks load-balancing

        He mentions that add-ons such as authpf, normalization are really valuable.

        1. By Dries Schellekens () on

          I thought that IPTABLES did stateful inspection (http://www.sns.ias.edu/~jns/security/iptables/ mentions it does for instance).
          Are you sure.


          According to tcp-window-tracking still is a patch and enabled by default.

          In some Linux French Magazine some guy mentionned in some IPTABLES/NETFILTER vs PF comparison that :
          - PF lacks some modules to follow some connections that Netfilter offers.
          Example: IRC module (for DCC traffic)


          Look at ports net/tircproxy

          - PF lacks fronts-end (IPTABLES offer many)

          There exist plenty of GUIs to create PF rules: fwbuilder , WallFire , SOFI , ... (lots of tools are listed on Daniel's website )

          - PF lacks load-balancing

          This is one of the new feature in OpenBSD 3.3.

          1. By Dries Schellekens () on

            According to tcp-window-tracking still is a patch and enabled by default.
            Clearly this should be not enable by default.

        2. By RC () on



          What is "follow some connections" supposed to mean?

          PF needs no front-end, it is an incredibly elegant syntax, and probably easier to learn the syntax than to learn a front-end... Besides, I have heard of one front-end for PF, I have no doubt there are more.

          PF certainly has load-balancing.

          In addition to authpf, and normalization, PF has a modulate state option, very good performance, and all sorts of features are being added... practically daily.

          I can't say any more about the differences, because I haven't used any non-OpenBSD options in quite some time.

        3. By Alejandro Belluscio () baldusi@hotmail.com on mailto:baldusi@hotmail.com

          Even though its got a "stateful inspection" it's not a theoretically perfect adherence to the standards. With ICMP and UDP it's the same as PF, but on TCP it doesn't correctly uses the sequence number window. Someone else has written here that there's a patch around. But it's not a default option. In ay case is not a tested as PF.
          Regarding the connection tracking, PF might have a fewer modules. But consider protocols that don't work with NAT brain dead (you can't really defend FTP, and the SIP cometee is unforgivable, but surely it was made on purpose).
          Besides it has modulationof state and rendomization of IP IDs. This means a real increase in security.

      2. By Anonymous Coward () on

        Why would anyone want to save the states between reboots?

        1. By Anonymous Coward () on

          disconnection of instant messengers!

          1. By thebiMbo () on

            ROFL!

        2. By Dries Schellekens () on

          Yes, this seems quite useless. PF is able to pick up existing connections when using keep state ; of course modulate state will not work, because the ISN modulation will be lost between reboots (this is described in pf.conf(5) .

          pfsync(4) will only be interesting in case of failover; but a good failover mechanism (VRRP) is lacking because of patent stuff.

        3. By Lennie () leen@wirehub.nl on mailto:leen@wirehub.nl

          Actually, I personally think it's more usefull if you have a cluster of firewall's.

          I have not seen any (non-commercial) firewall (pf, iptables and 'friends') who can replicate or distribute connection-tracking.

          1. By Lennie () leen@wirehub.nl on mailto:leen@wirehub.nl

            OK, they are working on it for pf and there used to be a mailinglist dedicated on figuring out how to do it for netfilter/iptables, they didn't agree and didn't do much work on it.

            So I stand corrected, if some1 wants to comment on my comment. :-)

            1. By Lennie () leen@wirehub.nl` on mailto:leen@wirehub.nl`

              wrong again, there are people working at it, the kernel interface for iptables/netfilter is actually there... there is a patch in patch-o-matic: ctnetlink or nfnetlink

      3. By Anonymous Coward () on

        I can do that with PF too.

        "Pass out keep state". Done.

        Doesn't mean that is a good idea, but it is possible. I've heard rumors that PF will support sharing state over a backbone end, and that will be super cool. (For fail-over firewalls)

    7. By Anonymous Coward () on

      Let's just say you'll never hear "well, I'd love to use *BSD, but I just can't live without IPTables!"

      IPF and PF make more sense to myself personally. Some people prefer the more command-oriented (as opposed to file-oriented) rule style of IPFW and IPTables. In IPF/PF, you just edit a file with your rules, and can change the state of the firewall with a control utility. With IPTables and IPFW, you add/change/delete rules with the same utility, often through a shell script or some such. I'd go for IPFW over IPTables, since

      - it runs under FreeBSD
      - its syntax isn't a horrible mess of command-line arguments.

      I haven't run into anything that I can do with Linux/IPTables that I can't do with the alternatives.

      1. By Anonymous Coward () on

        > Let's just say you'll never hear "well, I'd love to use *BSD, but I just can't live without IPTables!"


        ROFL!

    8. By Anonymous Coward () on

      Iptables is hard to configure compared to IPF or PF. Long options, you have to run their program in order to set each rule (iptables this, iptables that). Plus for bandwidth control you need other separate tools which are even more obscure.

      IPF and PF are very easy to figgure out. PF also has very useful additional features. If you want to add some temporary rules you just invoke `ipf -f -' and write your rules, the ctrl+c. This is just beautiful! And ALTQ has a very easy to understand, sane configuration fime compared to those Linux tools.

      Don't get me wrong. I am using Linux mostly for the desktop and FreeBSD on servers. Both work fine. I just hate iptables syntax.

    9. By Anonymous Coward () on

      one thing that sucks about it is that does doesnt work right when nating for a bunch of games such as STARCRAFT and sometimes with Quake . It used to work with Quake for me before it was PF, but now that I am using PF, it doesnt work. About every year, I test both a linux 2.2 machine with the old ipchains and with a new openbsd box, but openbsd always messed up the gmaes with NAT, but the old linx box works always. This is one of the only things I can't fix( there are a bunch of gamers inside one of my networks!!!!)

      1. By Dries Schellekens () on

        Use static-port on your nat rules (this is a new feature in 3.3). From pf.conf(5) : With nat rules, the static-port option prevents pf(4) from modifying the source port on tcp and udp packets. This should fix most broken applications (nat ignorant), like games.

        1. By Anonymous Coward () on

          Thanks for the info!!!!!!!

    10. By Anonymous Coward () on

      I've used iptables, ipchains, ipf and pf. I'll take *pf over the Linux alternatives. When it comes right down to it, pf is easier and more powerful. Why don't you actually try to use both and then come back and post. You must have been on crack during your "short look into similarities".

  2. By miked512 () miked512@msn.com on mailto:miked512@msn.com

    YES, I'VE BEEN WAITING ON THIS!!!!!!

    Not like I don't use OpenBSD or anything. ;-)
    I hope it works well.

    1. By Anonymous Coward () on

      I think this'll be GREAT! I hope bridging with PF will work; unlike IPF with bridging which didn't filter bridged frames (the main thing that made me switch to OpenBSD long ago.)

      Will they import this into FreeBSD or will it be a seperate thing?

      1. By Anonymous Coward () on

        ipfw filters on bridges just fine...ipfw2 added a bunch more features to it as well.

        i have a freebsd server with 2 4-port nics running 4 independent bridges here using ipfw1 (lkm) to filter out multicast

        1. By Anonymous Coward () on

          That's IPFW, I meant that IPF didn't do it and wondering if PF will now do it?

            1. By Anonymous Coward () on

              ok, here goes again...

              I'm still refering to FreeBSD 5.0 with pf and bridging; not OpenBSD. I use OpenBSD for this and I swear by it. Like I originally said, I wonder if pf will support filtering bridged packets (in FreeBSD 5.0) because I know for a fact, IPF didn't, only IPFW did.

              1. By Anonymous Coward () on

                this was a 'darren' restriction

                he put up a patch to make it work which was like 8 lines of code on the ipf mailing list. i never tried it.

            2. By Hendrik Scholz () hscholz@raisdorf.net on http://www.raisdorf.net/

              Just for completeness: ipf can do the same trick as described on http://www.raisdorf.net/bridge
              I cannot compare the two as I'm running ipf on most systems.

              1. By Anonymous Coward () on

                Thanks!

  3. By Hiya () on

    ....

    1. By uNF () on

      Or reason for you to troll on deadly.org.

    2. By Anonymous Coward () on

      I guess someone likes patching up the yin yang daily...

      1. By earx () on

        No reason to have a brain too
        go for the war ?

    3. By Anonymous Coward () on

      two words: swiss cheese.

    4. By Anonymous Coward () on

      Look everyone!....

      (points, stares)

      a troll...a real, honest to god TROLL!!!!!

      ...

      We now return to our regular scheduled programming.

  4. By netchan () deadly@netchan.cotse.net on mailto:deadly@netchan.cotse.net

    "battle of the firewalls"

    http://www.openbsdforums.org/forums/showthread.php?threadid=7266&ref_=fr

    1. By ^ESN^ () on

      Well i just LOVE the idea of Haveing PF in FBSD..

      this can make me a even more happy user op FreeBSD

  5. By jose () on http://monkey.org/~jose/

    silly me .. last two stories got no comments, i wondered "did i break commenting?" lucky for us flameSubmit.php3 err ... commentSubmit.php3 is still up and running.

    1. By Anonymous Coward () on

      lol. no replies on two stories was awkward. technical discussion usually draws no attention. tech@openbsd.org being a key example.

  6. By Anonymous Coward () on

    Maybe a nitpick, but I think it's an important one for those that might care about licenses on their projects or commercial endeavors, although I could be wrong in my impressions of the licensing situation...

    I was under the impression that IPF is not under a BSD or X like license.

    PF is under the BSD license for sure. IPF is, or at least was, not--one of the reasons PF had to be developed is that IPF did not adhere to the BSD license. IPF's creator, Reed, would not change it. Also why IPF was removed entirely from OBSD default.

    Unless Reed changed the IPF license, something only he can do due to copyright, and last I heard Reed was saying (but wasn't doing) he would make the license adaptable and favorable to those he liked (which totally sidesteps the point of a BSD license; but maybe for FreeBSD folks, it is under a true BSD license), what other firewall besides PF is both stateful and under a true BSD (or X like) license?

    1. By Anonymous Coward () on

      read and decide:

      Copyright (C) 1993-2002 by Darren Reed.

      The author accepts no responsibility for the use of this software and
      provides it on an ``as is'' basis without express or implied warranty.

      Redistribution and use, with or without modification, in source and binary
      forms, are permitted provided that this notice is preserved in its entirety
      and due credit is given to the original author and the contributors.

      The licence and distribution terms for any publically available version or
      derivative of this code cannot be changed. i.e. this code cannot simply be
      copied, in part or in whole, and put under another distribution licence
      [including the GNU Public Licence.]

      THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
      ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
      IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
      ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
      FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
      DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
      OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
      LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
      OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
      SUCH DAMAGE.

      I hate legalese, don't you ?

      1. By tedu () on

        that means you can't sell it. selling it under a typical commercial license (must buy one copy per use, or can't resell to others) would involve changing the terms.

        1. By Anonymous Coward () on

          The license only restricts the licensing of the source, not the binaries. You can make commertial programs with the source as long as the code remains under this license.
          In essence, it's developed to garantee the freedom of developers, infact, I think this is the best license I've seen; becuase, 1, it makes it possible to make money of the software and also keeping to code to oneself, unlike GNU crap I might add, and 2, guarantee that any code released to public can be incorperated back into IPF.

          This is a perfect for all parties. Personally, I'm with the 4 clausul BSDL or public domain, but this should be a valuable asset in battleing GNU's continuing ripping BSD code and not contributing it back.

          1. By Anonymous Coward () on

            Hello Mr Reed :)

          2. By Anonymous Coward () on

            You are not a copyright lawyer or even someone who pretends to be one, or if you got advice from one, he was high, down, drunk (that's one, the other, or both depending on his brain pathways and alcohol consumption) or mentally fubar'd.

            Copyright law, at least in the US, gives certain rights which, if not explicitly stated via license or sale or contract or whatever (e.g. all rights reserved actually no longer needed because all rights reserved is a given under present law), the copyright holder retains.

            Such categories include use, distribution, and copying. You can grant none, all, or some combination of them (e.g. a bookstore has the right to distribution of the original copy (and right of first sale allows them to sell used or previously sold copies) but doesn't not have the right to photocopy and then sell that photocopy).

            Knowing this, read the IPF license. Compare to other licenses. What's Reed's license missing? Yup.

            If you missed it, the utterly funny thing about the license that is so obtusely obvious is that it does not give you the right to copy. Again, you can't "assume" intent under the law--copyright holders gain the benefit of the doubt. Redistribution is distribution rights, which is NOT the same as copying (e.g. a library distributes, a bookstore distributes via sale, a bookstore does not copy). Use is code use (running on your machine), which is needed.

            But there is no right to copy granted by the license. Hello? Who wrote this crap? Plainly not BSD.

    2. By jolan () on

      By another, he means there's ipfw/ipfw2/ipf.. and now another packet filter.. pf.

    3. By Anonymous Coward () on


      IPFW2 is both under the BSDL and stateful.

      It's part of FreeBSD 5.0 onwards.

  7. By Anonymous Coward () on

    *yawn* IPtables suck shit. I used it before I switched to oBSD IPF and then PF it was painful; it requires extensive testing to see if the obscure syntax worked the way I intended. Just like Linux it is a kludge with all kinds of useless shit in the kernel.

    Where do I request my coffee-webcam protocol in IPTables? I need this in kernel space because it needs to be high performance.

    If you like iptables you have not done your research and are likely a how-to user. You probably don't understand IP either.

    Oh and for the gamers out there. See previous paragraph; I can, and have, made all games work that I tried.

    Go Daniel, PF rocks!

    1. By Anonymous Coward () on

      elitist fool.

      [i]If you like iptables you have not done your research and are likely a how-to user. You probably don't understand IP either.[/i]

      This is like saying if you like opebsd you obviously don't know that much cause freebsd is better.


      " it requires extensive testing to see if the obscure syntax worked the way I intended."

      Well, don't blame others if you can't write decent iptables rulesets.

      1. By Anonymous Coward () on

        You are a moron.
        You do not understand IP.
        You use how-to's.

        It's ok you can admit it.

        Oh, and FreeBSD is a wonderful OS. Linux isn't.

        It's good to be elite.

        1. By Anonymous Coward () on

          Much as I might agree with some of your sentiments, to me you sound 31337, not elite.

      2. By The Mighty Fool (202.156.2.82) on

        > This is like saying if you like opebsd you obviously don't know that > much cause freebsd is better. OTOH... that could really be like saying, if u like eating faeces, you obviously don't know that much cos food is definitely better. >> it requires extensive testing to see if the obscure syntax worked the >> way I intended. > > Well, don't blame others if you can't write decent iptables rulesets. i have to agree with you on this one. And that is why, today, i am still using a flip-switch to do all my interfacing and programming with my computer - instead of using my keyboard, or mouse. I don't blame the machine if i can't write decent binary (not mnemonic) assembly. The tool does not truly matter!!!

        1. By The Mighty Fool (202.156.2.82) on

          sorry!!! i apparently missed out something while in the midst of doing all that interfacing with my flip switch. I apologize for that. It is my own fault. (see, i don't blame the tool).

          This is originally what i meant to display, properly formatted...:

          > This is like saying if you like opebsd you obviously don't know that
          > much cause freebsd is better.

          OTOH... that could really be like saying, if u like eating faeces, you obviously don't know that much cos food is definitely better.

          >> it requires extensive testing to see if the obscure syntax worked the
          >> way I intended.
          >
          > Well, don't blame others if you can't write decent iptables rulesets.

          i have to agree with you on this one. And that is why, today, i am still using a flip-switch to do all my interfacing and programming with my computer - instead of using my keyboard, or mouse. I don't blame the machine if i can't write decent binary (not mnemonic) assembly. The tool does not truly matter!!!

  8. By Jae () jaeyun@dds.nl on mailto:jaeyun@dds.nl

    When ipf will be replaced in FreeBSD and NetBSD, will Darren be forking ISO's for them as well?

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]