OpenBSD Journal

FreeBSD imports PF

Contributed by jose on from the others-using-it-too dept.

Wouter writes: " http://marc.theaimsgroup.com/?l=freebsd-hackers&m=107776990701303&w=2 



Date: Thu, 26 Feb 2004 05:34:18 +0100
From: Max Laier


To: current@freebsd.org
Cc: hackers@freebsd.org, net@freebsd.org
Subject: HEADS UP: pf import

Hi,

we started importing OpenBSD's packet filter (pf) from it's port
(security/pf). The kernel parts are done, though not linked to any
automatic build. If you want to build it already, you can build from the
corresponding module directories:
        sys/modules/{pf, pflog, pfsync}

Make sure to install new and modified headers.

User of the port should hold off until this is done. The port will no
longer build with the new headers installed! There is no userland in the
tree, yet!

This brings pf from OpenBSD 3.4 with the complete OpenBSD 3.4 function
set. It was tested from the port for a long time now and brings some
features that were not available to FreeBSD before. We have reports from
people successfully running the port (and a preliminarily version of the
changes committed now) on production-use firewalls and servers.

To get an idea of pf's power I suggest reading the OpenBSD FAQ about it:
http://www.openbsd.org/faq/pf/index.html

or if you prefer a summarize, check out the port status report:
http://www.freebsd.org/news/status/report-oct-2003-dec-2003.html#Porting-OpenBSD's-pf


--
Best regards,                           | max@love2party.net
Max Laier                               | ICQ #67774661
http://pf4freebsd.love2party.net/
| mlaier@EFnet

This is mixed news. On the one hand it's nice to see PF's great work get so much, well-deserved attention. On the other, they're working with a port, possibly outdated, and that can introduce bugs. If you want the latest, most up to date and most stable PF, you're still best off using it on OpenBSD, its native platform. But, it's good to see other people migrating from IPF to PF, just as OpenBSD did. (Note they still have ipfw and ipf hooks.)

(Comments are closed)

Comments

  1. By Anonymous Coward () on

    > To get an idea of pf's power...

    That's nice - congratulations to the all developers who have worked so hard on pf.

  2. By James () quel AT quelrod DOT net on mailto:quel AT quelrod DOT net

    Actually the port was pf from 3.4 and is feature complete/identical to openbsd. I've been using the freebsd port of pf for quite some time (due to acpi not being supported by openbsd, i use freebsd on my laptop) and it has worked wonderfully.

    -quel

  3. By Anonymous Coward () on

    Do I not rememeber Pf being imported into Kame? Didn't that mean that Pf became a defacto standard *BSD packet filter? (i.e. also come as part of NetBSD?) Or did politics interfer?

    Comments

    1. By Anonymous Coward () on

      pf is in Kame because itojun is part of Kame & OpenBSD and it makes life easier for him for it to be there. Reading web archives, it seems that NetBSD raised the bar higher than the crew working on integrating it into NetBSD were prepared to jump.

  4. By Anonymous Coward () on

    On one hand, this is great news for both FreeBSD and OpenBSD. PF is being recognised for the very high quality piece of work that it is and incorporated into FreeBSD. OpenBSD's profile as a source of quality code is enhanced which can only be good.

    The flipside is that FreeBSD will soon have both the best firewalling and SMP support of all the BSD's. PF and the source auditing are the major selling points for OpenBSD (for me at least). SMP and PF is a combination hard to beat for internet facing servers. I heartily applaud the efforts of Niklas to get SMP running but I think that the other developers may want to revise their priorities and get SMP up there. No SMP is beginning to bite for OpenBSD.

    Comments

    1. By Anthony () on

      Even when OpenBSD has SMP support it still won't be able to touch FreeBSD in raw performance terms. We won't even be able to touch NetBSD for a while.

      And FreeBSD can't touch OpenBSD in a number of areas. It's waaaay more work to install and administer FreeBSD.

      Different priorities. Specialization. Everyone that is willing to use more than one OS wins.

      Comments

      1. By Anonymous Coward () on

        I quite agree. I've got a dual Xeon server at work running FreeBSD and Samba. I run OpenBSD on my firewall systems. No prizes for guessing why I chose each OS for each application.

        PF on FreeBSD begins to blur the line for me, especially given the proliferation of SMT in commodity hardware. Don't get me wrong, I am a staunch supporter of OpenBSD (financially too if you care) but the lack of SMP concerns me greatly. Open is easier to administer than Free but I'll make the extra effort if it means I'm not wasting 50% of the CPU's in the 2U rackmount, you know?

        Comments

        1. By Anonymous Coward () on

          What papers or benchmarks justify using SMP? Everything I've found is 2 years old, or older.

          Comments

          1. By Anthony () on

            Ah. The old "We don't have it, so maybe you're wrong for wanting it." response.

            Write some multi-threaded code. Try it on a P4 with HT enabled and disabled.

        2. By Anonymous Coward () on

          OpenBSD might do well to sit back a little while longer and compare NetBSD's approach to SMP with FreeBSD's approach to DragonFly's approach. OpenBSD seems to be a little more cautious with new features compared to the other projects, and with reason.

      2. By Anonymous Coward () on

        Just as a quriosity, what is easier to administrate on Open as opposed to Free?

        I am more or less a complete newb when it comes to Unix but I am not stupid. I've played with Open for awhile and in fact had it running as my firewall for a number of months. At the same time I was playing with another Free machine and found it much easier to learn on and upgrade.

        Once I saw that PF had bee ported to Free I changed my firewall. I would be willing to go back to Open if it really would be easier for me.

        TIA

        Comments

        1. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

          Well... at least OpenBSD-current almost always perfectly work. FreeBSD-current is often a disaster than doesn't even compile.

          That's the way I see OpenBSD is easier than FreeBSD to administer :)

          Comments

          1. By Anonymous Coward () on

            > "OpenBSD-current almost always perfectly work."

            -current always builds given a 30 minute window for errors introduced by cvs commits.

          2. By Anonymous Coward () on

            What kind of nitwit would run a "secure" production machine with *BSD-current?

            Comments

            1. By Alejandro Belluscio () baldusi@hotmail.com on mailto:baldusi@hotmail.com

              Actually, when we are beta testing, it's usually safe. Or may be you have a feture that you really need (like a NIC driver, or CARP). In fact security problems tend to be solved first in current.

        2. By Anonymous Coward () on

          Not to sound rude or anything... Out of curiosity if you were using it as your firewall with PF, how's PF any easier in FreeBSD than OpenBSD? PF is PF.

          Unless you're doing other things and running other stuff that's some how harder in OpenBSD, but not sure what's really harder/easier.

          Anyways, my $0.02 is that taking the easy way to things isn't always the best way; but maybe that's just me.

          If you're more or less a newb (not being rude) as you said, then you should give atleast both a try and learn them both. Later on you'll find one does some things better than the other for you and you'll be able to do it easily. I've ran into a lot of things like this over time. I now highly believe in using the right tool for the job - and yes, sometimes that can be Windows.

          Regards.

        3. By Anthony () on

          Let's see...

          The GENERIC kernel on OBSD supports very nearly everything while on FreeBSD you need to recompile pretty often. Not as much as Linux, but still. It's not hard, but it takes effort.

          On OpenBSD, ports. just. work. On FreeBSD you end up digging through the comments and so forth to see that oh, you need to define such and such a variable to get the functionality you wanted.

          On FreeBSD, even drivers that are in the generic kernel as modules often need to be explicitly loaded. And it's not always entirely obvious which, you need to go looking through the dmesg and man pages. Dependencies between modules that aren't loaded automatically aren't always obvious, and the documentation in that area is poor.

          Basically, if people will yell at me when there's downtime, I pick OpenBSD unless I have a good reason not to. With a firewall machine, there aren't any good reasons to pick something else.

          Comments

          1. By Anonymous Coward () on

            OpenBSD documentation beats any other UNIX(-like) syetem easily in my experience.

            Comments

            1. By Anonymous Coward () on

              Just to let all know, I'm pretty new to OpenBSD. I don't know what exactly you mean by documentation. Do you mean man pages, documentation on the website, or something else? Perhaps you can be more specific.

              I ask this because I find that FreeBSD's Handbook and FAQ to be better organized. Perhaps this type of documentation was not what you had been referring to but this is usually the documentation I first look at when I have a problem.

              AFAIK, OpenBSD doesn't have a Handbook per say, but it does have a FAQ. The FAQ is good, but it could be better. I can elaborate further if required.

              With enough poking and prodding I can find the information that I need in the FAQ found on the OpenBSD website but sometimes I have to look in not so obvious places for the information that I require.

              Perhaps after I get more aquainted with the FAQ layout, I'll be able to navigate through the FAQ more effciently.

              Comments

              1. By Anonymous Coward () on

                Not required, but please elaborate.

                Comments

                1. By Anonymous Coward () on

                  Man, you actually want to make me work don't you? Geez. Okay, I'll actually do this, but when I have more time. I have a printed out copy of the OpenBSD FAQ at home where I have some notes jotted down in the margins and stuff. I guess I can post some of the things where I thought could have been more consistent.

                  Comments

                  1. By Anonymous Coward () on

                    Feedback makes improving things easier ;)

              2. By zp () on

                Man pages. That's documentation on UNIX.
                You'd be amazed how many problems can be solved simply by reading man pages. People have been doing it long time before Google (or Alta Vista) existed.
                Frankly, I find it sometimes sad that even techies are googling and picking information from some lame guy who has no idea what is he talking about instead of reading a man page FIRST.

                Most recent example. A coleague has told me that he has finally googled out the way to use color in his ls on Mac OS X by installing GNU package. I pointed him to a
                'man ls' on his Mac OS X and the fact that it states that
                setting CLICOLOR to 1 in your .login (.profile) enables colored output. The answer was there in seconds, and he was 'googling' half a day for the wrong one.

          2. By strgout () strgout@unixjunkie.com on mailto:strgout@unixjunkie.com

            like what? please give an example where the kernel needs to be recompiled to add support for something.

            Comments

            1. By Dan Brosemer () odin@svartalfheim.net on mailto:odin@svartalfheim.net

              On a Proliant DL380 with a SmartArray 5i RAID controller.

              The RAID controller support isn't in the FreeBSD kernel as it ships. Try booting off disks your kernel doesn't support.

              To even get FreeBSD installed, I had to build a custom set of boot floppies.

              To be fair, this was 4.7. This may have changed with -CURRENT... but I don't run -CURRENT on production hardware.

            2. By Anthony () on

              ext2fs

            3. By zp () on

              Last time I touched FreeBSD I needed to rebuild the kernel to get quota. Do we need to go any simpler than that?
              Oh, yes, and I needed to find that my sound card is supported through some obscure kernel module which I had to tell it explicitly to load in /boot/loader.conf.
              And APM didn't work at all. It would hang the machine and never return from suspend.

              No work needed with OpenBSD. It just works.

          3. By Anonymous Coward () on

            This is FUD. It's a shame to see such a nice site ruined by uninformed zealots.

            Comments

            1. By Anthony () on

              Refute any assertions I've made that are wrong, specifically. I've run into this stuff myself, so I know I'm not making it up.

              Comments

              1. By Anthony () on

                I should add that I ran into this stuff on 4.9 (up to date as of this posting) and 5.2.1-rc (5.2.1 is out now).

          4. By Anonymous Coward () on

            Ok, try to load OpenBSD on a Dell PowerEdge 1750 without PERC. 3.4 will not recognize the onboard BroadCom NIC, nor will it recognize the LSI 1030 SCSI card. The -current added support for BroadCom NIC, but LSI 1030 (mpt) is still not there.

            NetBSD -current supports both. FreeBSD 4.9-RELEASE and FreeBSD 5.2.1-RELEASE support both. So what you've claimed is actually the other way round in this case. Granted, there're cases that drivers first appear in OpenBSD (eg., 3Com 940), but FreeBSD ported the driver pretty quick. But in the LSI 1030's case, I remember it was on the list of last year's Hackathon, but it's still not there as of today.

            Speaking of OpenBSD's ports, sure, it will work. But it offers far far fewer 3rd party package support compare to FreeBSD. Heck, I'd rather use NetBSD's pkgsrc on OpenBSD.

            Don't get me wrong, I use OpenBSD on a daily base, at places where it shines - firewall.

            Comments

            1. By tedu () on

              funny that you mention the mpt driver isn't there as of today. actually, as of today, it is there.

              Comments

              1. By Anonymous Coward () on

                Gosh, I actually checked the cvsweb before I made the post. I just refreshed the page, it was commited 9 minutes ago. Cool!

                Comments

                1. By Anonymous Coward () on

                  Well, the first revision was commited over an hour ago.

      3. By Anonymous Coward () on

        And FreeBSD can't touch OpenBSD in a number of areas. It's waaaay more work to install and administer FreeBSD.

        Bah! that's a highly subjective argument you're making there. Still, being able to trade code like stock cars "trade paint" is what makes *BSD so friggin' awesome.

        Comments

        1. By Anonymous Coward () on

          I agree completely with you. I think it's awesome that the BSD's share code such as in this occasion. Besides, I've been using pf on OpenBSD for a short while now and so far I really like it.

      4. By strgout () strgout@unixjunkie.com on mailto:strgout@unixjunkie.com

        Ok so show us what is needed to upgrade from one release of openbsd to the next, and one release of freebsd to the next. How about from 3.3 to 3.4 and 4.8 to 4.9?

        please include examples of updating config files also.

    2. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

      Are you absolutely sure that a firewall needs two or more CPUs?


      Comments

      1. By Anonymous Coward () on

        Currently a firewall does not need 2 CPU's. But if I have 1 CPU with SMT capabilities or a 2-CPU-on-one-chunk-of-silicon machine, why would I be happy wasting those resources? Won't be too long before this is the norm for commodity hardware...

        On a personal note, I firewall all my BSD boxen so that only the services I want visible, are. This is irrespective of any other firewalls on the network.

      2. By Dan () on

        YES.

        Now pf is just a tcp/ip filter. One of the best, but just a tcp/ip filter.

        More and more application filtering is needed.

        If proxies are choosen to do the job (which has some problems, like integration with per-user rules) they need to be run somewhere.

        Usualy these proxies have to be run on the firewall itself.
        Proxies can be very cpu intensive, and added the overhead of pf redirectio, proxy socket operations you need lots of power.

        But I think it's not the point.

        SMP is good for marketing. Thats all.
        IMHO one 2gh CPU is much better that 2x1gh CPU on any platform or os (except mainframe zOS :).

        Comments

        1. By marklar () marklar_@hotmail.com on mailto:marklar_@hotmail.com

          Troll!

          >SMP is good for marketing. Thats all.
          >IMHO one 2gh CPU is much better that 2x1gh CPU on any >platform or os (except mainframe zOS :).

          Letsee... Cray? ConnectionMachine? SunFire 15K?

          Have you EVER seen an OS running on REAL hardware?

          Damn you PeeCee weenies

          Comments

          1. By Dan () on

            OK,

            I wan;t talking about the very high end computer, which are usualy only for research.

            I was talking about avarage SMP machine, which has 2-4 CPU's, maybe 8.

            Do you realy think that using 4x500mz sun is better then 1x2000mz sun? If so, please explain why.

            BTW, I think you shouldn't shout TROLL just because I expressed my opinion. I was never saying that I am God and every other are fulls, and I am 100% right. I think IMHO means In My Humble Opinion. But English is not my natural Languege so maybe I am wrong.

            And I think you should take in mind that every rule have exception except the rule that every rule has exception... :)

            Comments

            1. By marklar () marklar_@hotmail.com on mailto:marklar_@hotmail.com

              Um, you said ANY, now you qualify that. You specifically mentioned the Z series as well, so you obviously were including the full gamut of SMP capable machines.

              I accept your point that " every rule have exception", yet you were the one that made assertions in absolutes.

              I'm not going to explain computer architecture to you in a brief post to a website, I'd suggest you go and buy a book, do some research and find out for yourself.


              Comments

              1. By Dan () on

                I mentioned Z because I am system programmer in zOS.

                zOS has nothing to do with other monsters you mentioned.

                In the prespective of MIPS, Z is not very impressive. You can get better results with most big Unix.

                Its strength is in IO operaion, and hardware assist virtualization. Its super strength is in zOS + the hardware.

                You right abput the ANY. I should have used the "tipical" ...

                BTW, what book do you recommend?

                Comments

                1. By marklar () marklar_@hotmail.com on mailto:marklar_@hotmail.com

                  Computer Organization and Design by Patterson& Hennessy

                  http://www.bookpool.com/.x/4o4gkt7tlr/sm/1558604286

                  Comments

                  1. By zp () on

                    That's a book for first undergrad architecture course (in other words, a book for children).

                    You should have recommended the same authors, but

                    Computer Architecture: A Quantitative Approach.

          2. By djm () on

            And I thought we were talking about Firewalls...

            I can't imagine any of the systems you mention being used for packet filtering. Worse, the ConnectionMachine isn't even a standard von Neumann architecture IIRC.

            So, who's trolling?

          3. By Anonymous Coward () on

            Oh yeah! @hotmail.com weenies talking about REAL hardware for packet filtering! I love it!

            Comments

            1. By marklar () marklar_@hotmail.com on mailto:marklar_@hotmail.com

              I wasn't the one that bought up the Z series, now was I?

        2. By Anonymous Coward () on

          "IMHO one 2gh CPU is much better that 2x1gh CPU on any platform or os"

          That is because it is, the various ways SMP can work is lost on most people, yet they argue the toss about it.

          Yes, SMP is cool, and there are good reasons for having it, but none of the open source OSes have solid support, and I figure that OpenBSD will want it fairly solid.

          "Those who give up security for speed, deserve niether" :)

          Comments

          2. By Anonymous Coward () on

            > "Those who give up security for speed, deserve niether" :)

            So what you're saying is let's all use java or other buffer-overflow-safer languages instead of C/C++?

            > Yes, SMP is cool, and there are good reasons for
            > having it, but none of the open source OSes have
            > solid support, and I figure that OpenBSD will
            > want it fairly solid.

            OpenBSD didn't wait for other OSes to be secure. If OpenBSD "want [SMP] fairly solid," they'll do it just like they want security solid.

        3. By noone () on

          > SMP is good for marketing. Thats all.
          > IMHO one 2gh CPU is much better that 2x1gh CPU on
          > any platform or os (except mainframe zOS :).

          Of course, but as even any troll knows, 2 or 4 3GHz CPU's beats one 3GHz CPU any day.

      3. By Bruce () on

        I don't know about firewalls, but my web/e-mail server runs OpenBSD. And pf, of course. I don't feel comfortable running Internet-exposed ports on any other platform. That is a judgement regarding my own system administration skill level, not a slight against other OS's.

        Anyway, I would prefer all the speed I can get out of this OpenBSD box, and if SMP support were available I would welcome it. Of course, if Theo et. al. feel their time is better spent on other security related enhancements, I will just improve my web server performance by purchasing a better uni-processor box once in a while. No complaints here, just a mild wish.

    3. By Anonymous Coward () on

      No SMP is beginning to bite for OpenBSD. openbsd is what openbsd is. that is in your opinion, its not in my opinion. openbsd does what is says it will do on the box, nothing more, nothing less. if only this were true for more software.

  5. By Chris Humphries () chris@unixfu.net on http://unixfu.net/

    Good Packet Filter, on another OS.

    Open Source in action :)

    Just would be nice to see UFS2 and mysu in OpenBSD.

    Comments

    1. By Anonymous Coward () on

      Comments

      1. By Anonymous Coward () on

        xsu

        Comments

        1. By Nate () on

          To expand on that, mysu appears to be xsu - a GNOME graphical sudo.

          Perhaps they are seeking a port of mysu.

          Comments

          1. By Chris Humphries () chris@unixfu.net on http://unixfu.net

            Actually it is not that. Install FreeBSD 5.2 and see for yourself :)

            it is a better version of su.

            Comments

            1. By Nate () on

              That's just annoying, because I went googling about to see what all was mysu and all I found was a renamed version of xsu. I hate when multiple things share the same name.

  6. By Anonymous Coward () on

    Question: Does pf use the Berkely Packet Filter, bpf, or does it reuse code from bpf? I remember reading something to that effect somewhere or another. If they share code/functionality, are there plans in the works to merge them together?

    Comments

    1. By Anonymous Coward () on

      fluffy! pf and bpf have nothing in common at all...

      Comments

      1. By Anonymous Coward () on

        Well, that settles that.

      2. By jtorin () on

        ...except maybe two out of three letters in their name. But thats it!

  7. By Konstantin Leontiev () root -at- combellga -dot- ru on http://combellga.ru/

    Hello OpenBSD community!

    I'm an administrator in russian telecommunication company.

    I'm newbie in OpenBSD (using it for production environment only for several month), but i think that the greatest features for me in OpenBSD is a Default Security Settings and Paket Filter.

    I use PF+OB at the morning, at the midday and at the midnight ;) Many many tasks with load balancing, filtering and prioritization i made with PF. Great new feature is a PFSYNC.

    Only one feature now i need in PF: ALG (Aplication Layer Gateway) (or NAT editor) like in Cisco NAT or M$ NAT.

    And i hope that you can finish SMP at the midle of 2004.

    Comments

    1. By Anonymous Coward () on

      Hi,

      What's OB? As in PF+OB?

      Comments

      1. By Konstantin Leontiev () on

        OB - OpenBSD

        Comments

        1. By Anonymous Coward () on

          Ohhh LOL.. Thx ;-)

          Comments

          1. By Thoe DeRaddt () on

            Stupid fuck.

  8. By Janos Mohacsi () janos.mohacsi@bsd.hu on mailto:janos.mohacsi@bsd.hu

    I believe, that pf is won't be the default packet filter of FreeBSD. I think the best integrated is the ipfw. But you will have option to use ipfw, ipf and now pf. It is matter of choice!

    Regards,

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]