Contributed by jose on from the others-using-it-too dept.
Date: Thu, 26 Feb 2004 05:34:18 +0100 From: Max LaierTo: current@freebsd.org Cc: hackers@freebsd.org, net@freebsd.org Subject: HEADS UP: pf import Hi, we started importing OpenBSD's packet filter (pf) from it's port (security/pf). The kernel parts are done, though not linked to any automatic build. If you want to build it already, you can build from the corresponding module directories: sys/modules/{pf, pflog, pfsync} Make sure to install new and modified headers. User of the port should hold off until this is done. The port will no longer build with the new headers installed! There is no userland in the tree, yet! This brings pf from OpenBSD 3.4 with the complete OpenBSD 3.4 function set. It was tested from the port for a long time now and brings some features that were not available to FreeBSD before. We have reports from people successfully running the port (and a preliminarily version of the changes committed now) on production-use firewalls and servers. To get an idea of pf's power I suggest reading the OpenBSD FAQ about it: http://www.openbsd.org/faq/pf/index.html or if you prefer a summarize, check out the port status report: http://www.freebsd.org/news/status/report-oct-2003-dec-2003.html#Porting-OpenBSD's-pf -- Best regards, | max@love2party.net Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet
This is mixed news. On the one hand it's nice to see PF's great work get so much, well-deserved attention. On the other, they're working with a port, possibly outdated, and that can introduce bugs. If you want the latest, most up to date and most stable PF, you're still best off using it on OpenBSD, its native platform. But, it's good to see other people migrating from IPF to PF, just as OpenBSD did. (Note they still have ipfw and ipf hooks.)
(Comments are closed)
By Anonymous Coward () on
That's nice - congratulations to the all developers who have worked so hard on pf.
By James () quel AT quelrod DOT net on mailto:quel AT quelrod DOT net
-quel
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
The flipside is that FreeBSD will soon have both the best firewalling and SMP support of all the BSD's. PF and the source auditing are the major selling points for OpenBSD (for me at least). SMP and PF is a combination hard to beat for internet facing servers. I heartily applaud the efforts of Niklas to get SMP running but I think that the other developers may want to revise their priorities and get SMP up there. No SMP is beginning to bite for OpenBSD.
Comments
By Anthony () on
And FreeBSD can't touch OpenBSD in a number of areas. It's waaaay more work to install and administer FreeBSD.
Different priorities. Specialization. Everyone that is willing to use more than one OS wins.
Comments
By Anonymous Coward () on
PF on FreeBSD begins to blur the line for me, especially given the proliferation of SMT in commodity hardware. Don't get me wrong, I am a staunch supporter of OpenBSD (financially too if you care) but the lack of SMP concerns me greatly. Open is easier to administer than Free but I'll make the extra effort if it means I'm not wasting 50% of the CPU's in the 2U rackmount, you know?
Comments
By Anonymous Coward () on
Comments
By Anthony () on
Write some multi-threaded code. Try it on a P4 with HT enabled and disabled.
By Anonymous Coward () on
By Anonymous Coward () on
I am more or less a complete newb when it comes to Unix but I am not stupid. I've played with Open for awhile and in fact had it running as my firewall for a number of months. At the same time I was playing with another Free machine and found it much easier to learn on and upgrade.
Once I saw that PF had bee ported to Free I changed my firewall. I would be willing to go back to Open if it really would be easier for me.
TIA
Comments
By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/
That's the way I see OpenBSD is easier than FreeBSD to administer :)
Comments
By Anonymous Coward () on
-current always builds given a 30 minute window for errors introduced by cvs commits.
By Anonymous Coward () on
Comments
By Alejandro Belluscio () baldusi@hotmail.com on mailto:baldusi@hotmail.com
By Anonymous Coward () on
Unless you're doing other things and running other stuff that's some how harder in OpenBSD, but not sure what's really harder/easier.
Anyways, my $0.02 is that taking the easy way to things isn't always the best way; but maybe that's just me.
If you're more or less a newb (not being rude) as you said, then you should give atleast both a try and learn them both. Later on you'll find one does some things better than the other for you and you'll be able to do it easily. I've ran into a lot of things like this over time. I now highly believe in using the right tool for the job - and yes, sometimes that can be Windows.
Regards.
By Anthony () on
The GENERIC kernel on OBSD supports very nearly everything while on FreeBSD you need to recompile pretty often. Not as much as Linux, but still. It's not hard, but it takes effort.
On OpenBSD, ports. just. work. On FreeBSD you end up digging through the comments and so forth to see that oh, you need to define such and such a variable to get the functionality you wanted.
On FreeBSD, even drivers that are in the generic kernel as modules often need to be explicitly loaded. And it's not always entirely obvious which, you need to go looking through the dmesg and man pages. Dependencies between modules that aren't loaded automatically aren't always obvious, and the documentation in that area is poor.
Basically, if people will yell at me when there's downtime, I pick OpenBSD unless I have a good reason not to. With a firewall machine, there aren't any good reasons to pick something else.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
I ask this because I find that FreeBSD's Handbook and FAQ to be better organized. Perhaps this type of documentation was not what you had been referring to but this is usually the documentation I first look at when I have a problem.
AFAIK, OpenBSD doesn't have a Handbook per say, but it does have a FAQ. The FAQ is good, but it could be better. I can elaborate further if required.
With enough poking and prodding I can find the information that I need in the FAQ found on the OpenBSD website but sometimes I have to look in not so obvious places for the information that I require.
Perhaps after I get more aquainted with the FAQ layout, I'll be able to navigate through the FAQ more effciently.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By zp () on
You'd be amazed how many problems can be solved simply by reading man pages. People have been doing it long time before Google (or Alta Vista) existed.
Frankly, I find it sometimes sad that even techies are googling and picking information from some lame guy who has no idea what is he talking about instead of reading a man page FIRST.
Most recent example. A coleague has told me that he has finally googled out the way to use color in his ls on Mac OS X by installing GNU package. I pointed him to a
'man ls' on his Mac OS X and the fact that it states that
setting CLICOLOR to 1 in your .login (.profile) enables colored output. The answer was there in seconds, and he was 'googling' half a day for the wrong one.
By strgout () strgout@unixjunkie.com on mailto:strgout@unixjunkie.com
Comments
By Dan Brosemer () odin@svartalfheim.net on mailto:odin@svartalfheim.net
The RAID controller support isn't in the FreeBSD kernel as it ships. Try booting off disks your kernel doesn't support.
To even get FreeBSD installed, I had to build a custom set of boot floppies.
To be fair, this was 4.7. This may have changed with -CURRENT... but I don't run -CURRENT on production hardware.
By Anthony () on
By zp () on
Oh, yes, and I needed to find that my sound card is supported through some obscure kernel module which I had to tell it explicitly to load in /boot/loader.conf.
And APM didn't work at all. It would hang the machine and never return from suspend.
No work needed with OpenBSD. It just works.
By Anonymous Coward () on
Comments
By Anthony () on
Comments
By Anthony () on
By Anonymous Coward () on
NetBSD -current supports both. FreeBSD 4.9-RELEASE and FreeBSD 5.2.1-RELEASE support both. So what you've claimed is actually the other way round in this case. Granted, there're cases that drivers first appear in OpenBSD (eg., 3Com 940), but FreeBSD ported the driver pretty quick. But in the LSI 1030's case, I remember it was on the list of last year's Hackathon, but it's still not there as of today.
Speaking of OpenBSD's ports, sure, it will work. But it offers far far fewer 3rd party package support compare to FreeBSD. Heck, I'd rather use NetBSD's pkgsrc on OpenBSD.
Don't get me wrong, I use OpenBSD on a daily base, at places where it shines - firewall.
Comments
By tedu () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Bah! that's a highly subjective argument you're making there. Still, being able to trade code like stock cars "trade paint" is what makes *BSD so friggin' awesome.
Comments
By Anonymous Coward () on
By strgout () strgout@unixjunkie.com on mailto:strgout@unixjunkie.com
please include examples of updating config files also.
By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/
Comments
By Anonymous Coward () on
On a personal note, I firewall all my BSD boxen so that only the services I want visible, are. This is irrespective of any other firewalls on the network.
By Dan () on
Now pf is just a tcp/ip filter. One of the best, but just a tcp/ip filter.
More and more application filtering is needed.
If proxies are choosen to do the job (which has some problems, like integration with per-user rules) they need to be run somewhere.
Usualy these proxies have to be run on the firewall itself.
Proxies can be very cpu intensive, and added the overhead of pf redirectio, proxy socket operations you need lots of power.
But I think it's not the point.
SMP is good for marketing. Thats all.
IMHO one 2gh CPU is much better that 2x1gh CPU on any platform or os (except mainframe zOS :).
Comments
By marklar () marklar_@hotmail.com on mailto:marklar_@hotmail.com
>SMP is good for marketing. Thats all.
>IMHO one 2gh CPU is much better that 2x1gh CPU on any >platform or os (except mainframe zOS :).
Letsee... Cray? ConnectionMachine? SunFire 15K?
Have you EVER seen an OS running on REAL hardware?
Damn you PeeCee weenies
Comments
By Dan () on
I wan;t talking about the very high end computer, which are usualy only for research.
I was talking about avarage SMP machine, which has 2-4 CPU's, maybe 8.
Do you realy think that using 4x500mz sun is better then 1x2000mz sun? If so, please explain why.
BTW, I think you shouldn't shout TROLL just because I expressed my opinion. I was never saying that I am God and every other are fulls, and I am 100% right. I think IMHO means In My Humble Opinion. But English is not my natural Languege so maybe I am wrong.
And I think you should take in mind that every rule have exception except the rule that every rule has exception... :)
Comments
By marklar () marklar_@hotmail.com on mailto:marklar_@hotmail.com
I accept your point that " every rule have exception", yet you were the one that made assertions in absolutes.
I'm not going to explain computer architecture to you in a brief post to a website, I'd suggest you go and buy a book, do some research and find out for yourself.
Comments
By Dan () on
zOS has nothing to do with other monsters you mentioned.
In the prespective of MIPS, Z is not very impressive. You can get better results with most big Unix.
Its strength is in IO operaion, and hardware assist virtualization. Its super strength is in zOS + the hardware.
You right abput the ANY. I should have used the "tipical" ...
BTW, what book do you recommend?
Comments
By marklar () marklar_@hotmail.com on mailto:marklar_@hotmail.com
http://www.bookpool.com/.x/4o4gkt7tlr/sm/1558604286
Comments
By zp () on
You should have recommended the same authors, but
Computer Architecture: A Quantitative Approach.
By djm () on
I can't imagine any of the systems you mention being used for packet filtering. Worse, the ConnectionMachine isn't even a standard von Neumann architecture IIRC.
So, who's trolling?
By Anonymous Coward () on
Comments
By marklar () marklar_@hotmail.com on mailto:marklar_@hotmail.com
By Anonymous Coward () on
That is because it is, the various ways SMP can work is lost on most people, yet they argue the toss about it.
Yes, SMP is cool, and there are good reasons for having it, but none of the open source OSes have solid support, and I figure that OpenBSD will want it fairly solid.
Comments
By marklar () marklar_@hotmail.com on mailto:marklar_@hotmail.com
By Anonymous Coward () on
So what you're saying is let's all use java or other buffer-overflow-safer languages instead of C/C++?
> Yes, SMP is cool, and there are good reasons for
> having it, but none of the open source OSes have
> solid support, and I figure that OpenBSD will
> want it fairly solid.
OpenBSD didn't wait for other OSes to be secure. If OpenBSD "want [SMP] fairly solid," they'll do it just like they want security solid.
By noone () on
> IMHO one 2gh CPU is much better that 2x1gh CPU on
> any platform or os (except mainframe zOS :).
Of course, but as even any troll knows, 2 or 4 3GHz CPU's beats one 3GHz CPU any day.
By Bruce () on
Anyway, I would prefer all the speed I can get out of this OpenBSD box, and if SMP support were available I would welcome it. Of course, if Theo et. al. feel their time is better spent on other security related enhancements, I will just improve my web server performance by purchasing a better uni-processor box once in a while. No complaints here, just a mild wish.
By Anonymous Coward () on
By Chris Humphries () chris@unixfu.net on http://unixfu.net/
Open Source in action :)
Just would be nice to see UFS2 and mysu in OpenBSD.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Nate () on
Perhaps they are seeking a port of mysu.
Comments
By Chris Humphries () chris@unixfu.net on http://unixfu.net
it is a better version of su.
Comments
By Nate () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By jtorin () on
By Konstantin Leontiev () root -at- combellga -dot- ru on http://combellga.ru/
I'm an administrator in russian telecommunication company.
I'm newbie in OpenBSD (using it for production environment only for several month), but i think that the greatest features for me in OpenBSD is a Default Security Settings and Paket Filter.
I use PF+OB at the morning, at the midday and at the midnight ;) Many many tasks with load balancing, filtering and prioritization i made with PF. Great new feature is a PFSYNC.
Only one feature now i need in PF: ALG (Aplication Layer Gateway) (or NAT editor) like in Cisco NAT or M$ NAT.
And i hope that you can finish SMP at the midle of 2004.
Comments
By Anonymous Coward () on
What's OB? As in PF+OB?
Comments
By Konstantin Leontiev () on
Comments
By Anonymous Coward () on
Comments
By Thoe DeRaddt () on
By Janos Mohacsi () janos.mohacsi@bsd.hu on mailto:janos.mohacsi@bsd.hu
Regards,