OpenBSD Journal

Another frontend for pf: PfPro

Contributed by grey on from the yapffe for those who don't like text editors I guess dept.

Adam VanderHook writes in announcing his own front end for PF:

PfPro combines Java and XML to provide a graphical inteface for creating and maintaining firewall configurations for OpenBSD's PF firewall system.Screenshot.

This code is still very alpha, but working. I still have a LOT of features to add, and would gladly accept any help. While writing this I discovered XML Binding, and as such the next major release will use that instead of nasty DOM tree mangling.

My goal is to produce a best-effort platform-independent firewall utility. By using XML, configurations can be verified efficiently (by check via DTD) and possibly translated to other firewalling systems (like IPChains, via XSLT). One day I would like PfPro to be able to handle configurations for various firewall platforms through a consistent interface.

Here is the homepage and the project page.

(Comments are closed)

  1. By Asenchi ( on

    It looks good and all, but why Java? Why not some smaller, functional language that works really well with OpenBSD and isn't slow? Also something with a better license? Mind you I haven't ever had success installing Java (never really needed, never spent much time). This isn't ment to be a language war, just that what I've seen of Java it is mostly over hyped. Sorry, just my $0.02. Good to see someone working on something like this though. Again, good work.

  2. By j0rd ( j0rd.spam@gmail on

    Java is one of the least portable languages you can write in. I'm pretty sure OpenBSD doesn't even have a native port of J2SE 1.4. If you wanted something portable i'd sugguest using a scripting language.

    1. By StatiK76 ( on

      "Java is one of the least portable languages you can write in."

      Hey, i'm no fan of java - but, what the hell are you talking about?

      meh. whatever. Call me strange; I don't think there is a better method of creating pf.conf's outside of using a text editor. No offense to the authors of all these dandy eye candy yet-another-pf.conf-interface's .. But, they all suck.


      1. By Anonymous Coward ( on

        He explained what he is talking about, are you hard of reading? Where is the OpenBSD/i386 jdk, much less openbsd/sparc64, openbsd/amd64, openbsd/alpha? Java is only portable if you only care about windows, linux and solaris. I would definately say a tool like this would be much better in python or perl or whatever other portable scripting language you prefer.

        1. By StatiK76 ( on

          Ah. Yes. Maybe I have misread a little out of context. But the statement was rather general ("Java is one of the least portable languages you can write in"). The sentence, alone, caused my alarm. thx!

          Still doesn't take away from the fact that these pf.conf front ends are rather pointless (imo). Maybe i'm alone on this one - But, I just don't see the point. (I think the # of useless pf.conf frontends is at 4 or 5 now isn't it?)

          I was impressed with how simple the pf.conf syntax was - does it really require a ui (let alone 4-5)?


          1. By Adam VanderHook ( on

            I did not write PfPro with it in mind that it would actually be run on your firewall. Writing it in Java makes it easier for someone to implement a web interface or an interface for embedded devices, in my opinion. Most of the work is actually done in XML, Java is used primarily for the interface and user-experience. If someone decides they want to implement a GUI in a different language, I would be more than happy to provide any help that I can.

            Additionally, people who use remote firewall management software on Windows will be more likely to try it if they don't have to switch their OS (this is a feature planned for a later release--to securely xfer the config and signal pf to reload it). That, along with the fact that I don't consider configure scripts #ifdef statements to be any more portable that Java, is why I use Java.

            I'm already working on moving over to XML Binding, which means even more of the work will be handled via XML technologies. The Java GUI is only a third of the picture. Either use it, write a GUI conforming to your ideals, or don't.

            1. By Anonymous Coward ( on


        2. By Anonymous Coward ( on

          "Where is the OpenBSD/i386 jdk"

          in ports

          though I believe it is the only i386 at the moment ( at least that is what the port tells me )

          all platforms can compile via Jikes

          1. By Adam VanderHook ( on

            Take a look under /usr/ports/devel/jdk. There will be different directories for different versions and implementations.

          2. By Anonymous Coward ( on

            An old version without any form of JIT compiler is not good enough. I know IBM aren't total cocks and jikes is open source, but that's not enough. If Sun is gonna say stuff like "write once, run everywhere" then they had better make a jdk for everywhere.

        3. By goon ( goonmailALPHATANGOnetspaceDELTAnetDELTAau on

          perl would be a good choice. less installing than python, java, etc. installed by default (if I remember correctly).

      2. By Nikademus (3ffe:4005:1000:4d::2) on

        Java could only be portable if it was OpenSource.. Until SUN gets it to that point, it's up to them only to port it, and everybody knows they won't be able to do it on every platform without any help.. So, indeed java is NOT portable。。。。

        1. By tedu ( on

          java's open source. it's just not free.

  3. By EAN-0x1b ( on

    Something to think about while ripping out the DOM stuff - you might want to push it out to the Browser - the Java plugin has access to the complete Browser DOM allowing for things like an early display to cover a larger download in another thread or the ability to move the real time generation of all the sliced and diced views of the rule set off to the Browser - load the entire data set into the browser and have the displayed views calculated at the browser. Cuts down on the times you touch the server side. maybe moc-transactional =)

    Thanks - keep up the good work!

    I wish Java was good to go on OBSD, and I understand the security concerns so I'm glad FBSD is getting PF!


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]