Contributed by jose on from the portable-guards dept.
"Hello there.Wow, this is pretty cool. I know that PF had been ported to NetBSD as well (as an LKM, without ALTQ), but I didn't know about this effort for FreeBSD. It's good to see that people are mixing up their options, and maybe they can contribute something back to OpenBSD's PF.I have ported pf to FreeBSD 5.0 Currently it works well, though many nice features of pf not tested. I have ported to make FreeBSD users know there is an another excellent stateful packet filter with BSD license. URL is the following.
ftp://ftp.kr.freebsd.org/pub/FreeBSD-kr/misc/pf_freebsd_0.3.tar.bz2
Thanks."
(Comments are closed)
By Anonymous Coward () on
From my short look into similaritis, it would appear iptables can do a bit more, and is a tad faster.
What are other readers experiences?
Please, no bitching/trolling, I was just after a technical comparison.
Comments
By deekayen () on
Comments
By miked512 () miked512@msn.com on mailto:miked512@msn.com
By Anonymous Coward () on
Comments
By Anonymous Coward () on
*(BFD == Big F*cking Deal)
Comments
By RC () on
Comments
By Anonymous Coward () on
By Henning () henning@openbsd.org on mailto:henning@openbsd.org
pf on the same machine handles twice the load nowadays with a peak of 12% CPU.
performance does not matter, eh? well, the performance difference between IPFilter and pf was the key between can use and impossible here.
By Anonymous Coward () on
Comments
By Anonymous Coward () on
I have no personal experience using OpenBSD's "pf",
however, I have lots of experience with FreeBSD's
"ipfw" and I have also extensively used "ipf".
From my experienceces I have found that "ipf" is *significantly* slower than "ipfw". Although the
"ipf" syntax is simpler, it simply lacks a lot of
the features and functionality of "ipfw".
I am extremely interested in "pf" particularly for the "authpf" and "altq" features which are non-existent with "ipfw" -- there are some queuing tools, but nothing that can compare to OpenBSD's "altq".
Just my 2 cents.
By Ben Johnson () on
IPF/PF are vasylt more sane to figgure out than iptables.
PF in particular, is a dream - port forwarding, filtering, cleaning and shapeing configured in one easy to use text file.
Also do conisder the whole environment, a default OpenBSD with PF will be more secure than a default Red Hat 8.1 with iptables. (In addition, the OpenBSD box will be more stable IMHO)
Just like Linux is great for latest released of desktops, browsers and office suites, OpenBSD is great for firewalls, authentication and stability.
The both have their place.
Comments
By Piero Leonardo Rodrigues () piero@irapida.com.br on www.irapida.com.br
iptables have some things which doesn't exist on pf , like the log schema, more advanced than pf.
But for security, firewall and enjoy :) .. I preffer OpenBSD + pf
Comments
By Anonymous Coward () on
Name some usefull features which iptables provides and PF does not.
like the log schema, more advanced than pf.
What is wrong with pflog? Logging everything in a pcap file is incredible (being able to use tcpdump, ethereal, snort, ... on your log files).
By Sherrod () sherrod@girlvinyl.com on http://girlvinyl.com
Plus you can add NAT with one line.
:]
By Anonymous Coward () on
IPtables are a mess, typical GNU and Linux style, performance is on pair with IP.
By Anonymous Coward () on
By Alejandro G. Belluscio () baldusi@hotmail.com on mailto:baldusi@hotmail.com
Comments
By Steph L () Stephane.Lentz@ansf.alcatel.fr on mailto:Stephane.Lentz@ansf.alcatel.fr
mentions it does for instance).
Are you sure.
In some Linux French Magazine some guy mentionned
in some IPTABLES/NETFILTER vs PF comparison that :
- PF lacks some modules to follow some connections that Netfilter offers.
Example: IRC module (for DCC traffic)
- PF lacks fronts-end (IPTABLES offer many)
- PF lacks load-balancing
He mentions that add-ons such as authpf, normalization are really valuable.
Comments
By Dries Schellekens () on
Are you sure.
According to tcp-window-tracking still is a patch and enabled by default.
In some Linux French Magazine some guy mentionned in some IPTABLES/NETFILTER vs PF comparison that :
- PF lacks some modules to follow some connections that Netfilter offers.
Example: IRC module (for DCC traffic)
Look at ports net/tircproxy
- PF lacks fronts-end (IPTABLES offer many)
There exist plenty of GUIs to create PF rules: fwbuilder , WallFire , SOFI , ... (lots of tools are listed on Daniel's website )
- PF lacks load-balancing
This is one of the new feature in OpenBSD 3.3.
Comments
By Dries Schellekens () on
Clearly this should be not enable by default.
By RC () on
What is "follow some connections" supposed to mean?
PF needs no front-end, it is an incredibly elegant syntax, and probably easier to learn the syntax than to learn a front-end... Besides, I have heard of one front-end for PF, I have no doubt there are more.
PF certainly has load-balancing.
In addition to authpf, and normalization, PF has a modulate state option, very good performance, and all sorts of features are being added... practically daily.
I can't say any more about the differences, because I haven't used any non-OpenBSD options in quite some time.
By Alejandro Belluscio () baldusi@hotmail.com on mailto:baldusi@hotmail.com
Regarding the connection tracking, PF might have a fewer modules. But consider protocols that don't work with NAT brain dead (you can't really defend FTP, and the SIP cometee is unforgivable, but surely it was made on purpose).
Besides it has modulationof state and rendomization of IP IDs. This means a real increase in security.
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By thebiMbo () on
By Dries Schellekens () on
pfsync(4) will only be interesting in case of failover; but a good failover mechanism (VRRP) is lacking because of patent stuff.
By Lennie () leen@wirehub.nl on mailto:leen@wirehub.nl
I have not seen any (non-commercial) firewall (pf, iptables and 'friends') who can replicate or distribute connection-tracking.
Comments
By Lennie () leen@wirehub.nl on mailto:leen@wirehub.nl
So I stand corrected, if some1 wants to comment on my comment. :-)
Comments
By Lennie () leen@wirehub.nl` on mailto:leen@wirehub.nl`
By Anonymous Coward () on
"Pass out keep state". Done.
Doesn't mean that is a good idea, but it is possible. I've heard rumors that PF will support sharing state over a backbone end, and that will be super cool. (For fail-over firewalls)
By Anonymous Coward () on
IPF and PF make more sense to myself personally. Some people prefer the more command-oriented (as opposed to file-oriented) rule style of IPFW and IPTables. In IPF/PF, you just edit a file with your rules, and can change the state of the firewall with a control utility. With IPTables and IPFW, you add/change/delete rules with the same utility, often through a shell script or some such. I'd go for IPFW over IPTables, since
- it runs under FreeBSD
- its syntax isn't a horrible mess of command-line arguments.
I haven't run into anything that I can do with Linux/IPTables that I can't do with the alternatives.
Comments
By Anonymous Coward () on
ROFL!
By Anonymous Coward () on
IPF and PF are very easy to figgure out. PF also has very useful additional features. If you want to add some temporary rules you just invoke `ipf -f -' and write your rules, the ctrl+c. This is just beautiful! And ALTQ has a very easy to understand, sane configuration fime compared to those Linux tools.
Don't get me wrong. I am using Linux mostly for the desktop and FreeBSD on servers. Both work fine. I just hate iptables syntax.
By Anonymous Coward () on
Comments
By Dries Schellekens () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By miked512 () miked512@msn.com on mailto:miked512@msn.com
Not like I don't use OpenBSD or anything. ;-)
I hope it works well.
Comments
By Anonymous Coward () on
Will they import this into FreeBSD or will it be a seperate thing?
Comments
By Anonymous Coward () on
i have a freebsd server with 2 4-port nics running 4 independent bridges here using ipfw1 (lkm) to filter out multicast
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
I'm still refering to FreeBSD 5.0 with pf and bridging; not OpenBSD. I use OpenBSD for this and I swear by it. Like I originally said, I wonder if pf will support filtering bridged packets (in FreeBSD 5.0) because I know for a fact, IPF didn't, only IPFW did.
Comments
By Anonymous Coward () on
he put up a patch to make it work which was like 8 lines of code on the ipf mailing list. i never tried it.
By Hendrik Scholz () hscholz@raisdorf.net on http://www.raisdorf.net/
I cannot compare the two as I'm running ipf on most systems.
Comments
By Anonymous Coward () on
By Hiya () on
Comments
By uNF () on
By Anonymous Coward () on
Comments
By earx () on
go for the war ?
By Anonymous Coward () on
By Anonymous Coward () on
(points, stares)
a troll...a real, honest to god TROLL!!!!!
...
We now return to our regular scheduled programming.
By netchan () deadly@netchan.cotse.net on mailto:deadly@netchan.cotse.net
http://www.openbsdforums.org/forums/showthread.php?threadid=7266&ref_=fr
Comments
By ^ESN^ () on
this can make me a even more happy user op FreeBSD
By jose () on http://monkey.org/~jose/
Comments
By Anonymous Coward () on
By Anonymous Coward () on
I was under the impression that IPF is not under a BSD or X like license.
PF is under the BSD license for sure. IPF is, or at least was, not--one of the reasons PF had to be developed is that IPF did not adhere to the BSD license. IPF's creator, Reed, would not change it. Also why IPF was removed entirely from OBSD default.
Unless Reed changed the IPF license, something only he can do due to copyright, and last I heard Reed was saying (but wasn't doing) he would make the license adaptable and favorable to those he liked (which totally sidesteps the point of a BSD license; but maybe for FreeBSD folks, it is under a true BSD license), what other firewall besides PF is both stateful and under a true BSD (or X like) license?
Comments
By Anonymous Coward () on
Copyright (C) 1993-2002 by Darren Reed.
The author accepts no responsibility for the use of this software and
provides it on an ``as is'' basis without express or implied warranty.
Redistribution and use, with or without modification, in source and binary
forms, are permitted provided that this notice is preserved in its entirety
and due credit is given to the original author and the contributors.
The licence and distribution terms for any publically available version or
derivative of this code cannot be changed. i.e. this code cannot simply be
copied, in part or in whole, and put under another distribution licence
[including the GNU Public Licence.]
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
I hate legalese, don't you ?
Comments
By tedu () on
Comments
By Anonymous Coward () on
In essence, it's developed to garantee the freedom of developers, infact, I think this is the best license I've seen; becuase, 1, it makes it possible to make money of the software and also keeping to code to oneself, unlike GNU crap I might add, and 2, guarantee that any code released to public can be incorperated back into IPF.
This is a perfect for all parties. Personally, I'm with the 4 clausul BSDL or public domain, but this should be a valuable asset in battleing GNU's continuing ripping BSD code and not contributing it back.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Copyright law, at least in the US, gives certain rights which, if not explicitly stated via license or sale or contract or whatever (e.g. all rights reserved actually no longer needed because all rights reserved is a given under present law), the copyright holder retains.
Such categories include use, distribution, and copying. You can grant none, all, or some combination of them (e.g. a bookstore has the right to distribution of the original copy (and right of first sale allows them to sell used or previously sold copies) but doesn't not have the right to photocopy and then sell that photocopy).
Knowing this, read the IPF license. Compare to other licenses. What's Reed's license missing? Yup.
If you missed it, the utterly funny thing about the license that is so obtusely obvious is that it does not give you the right to copy. Again, you can't "assume" intent under the law--copyright holders gain the benefit of the doubt. Redistribution is distribution rights, which is NOT the same as copying (e.g. a library distributes, a bookstore distributes via sale, a bookstore does not copy). Use is code use (running on your machine), which is needed.
But there is no right to copy granted by the license. Hello? Who wrote this crap? Plainly not BSD.
By jolan () on
By Anonymous Coward () on
IPFW2 is both under the BSDL and stateful.
It's part of FreeBSD 5.0 onwards.
By Anonymous Coward () on
Where do I request my coffee-webcam protocol in IPTables? I need this in kernel space because it needs to be high performance.
If you like iptables you have not done your research and are likely a how-to user. You probably don't understand IP either.
Oh and for the gamers out there. See previous paragraph; I can, and have, made all games work that I tried.
Go Daniel, PF rocks!
Comments
By Anonymous Coward () on
[i]If you like iptables you have not done your research and are likely a how-to user. You probably don't understand IP either.[/i]
This is like saying if you like opebsd you obviously don't know that much cause freebsd is better.
" it requires extensive testing to see if the obscure syntax worked the way I intended."
Well, don't blame others if you can't write decent iptables rulesets.
Comments
By Anonymous Coward () on
You do not understand IP.
You use how-to's.
It's ok you can admit it.
Oh, and FreeBSD is a wonderful OS. Linux isn't.
It's good to be elite.
Comments
By Anonymous Coward () on
By The Mighty Fool (202.156.2.82) on
Comments
By The Mighty Fool (202.156.2.82) on
This is originally what i meant to display, properly formatted...:
> This is like saying if you like opebsd you obviously don't know that
> much cause freebsd is better.
OTOH... that could really be like saying, if u like eating faeces, you obviously don't know that much cos food is definitely better.
>> it requires extensive testing to see if the obscure syntax worked the
>> way I intended.
>
> Well, don't blame others if you can't write decent iptables rulesets.
i have to agree with you on this one. And that is why, today, i am still using a flip-switch to do all my interfacing and programming with my computer - instead of using my keyboard, or mouse. I don't blame the machine if i can't write decent binary (not mnemonic) assembly. The tool does not truly matter!!!
By Jae () jaeyun@dds.nl on mailto:jaeyun@dds.nl