Other What is the current status and the future of FreeBSD's firewalls?

M

mamalos

Hi all,

Lately I've realised that some of FreeBSD's firewall platforms are not very active. OpenBSD's PF seems to be way ahead while FreeBSD's version of PF is heavily modified (to cater for SMP) and is now hard with respect to merging new OpenBSD-PF code. Moreover, IPv6 support seems to be still suffering from some bugs.

IPF seems to be also a bit quiet lately, and the only option that seems to be still active is IPFW.

My problem is that, while I administer a few FreeBSD firewalls running PF, (and a few running OpenBSD as well), I am quite unsure as to which OS+firewall I should chose for my next firewall. Since I like PF, should I stop building routers based on FreeBSD and return to OpenBSD? OK, I know I can try IPFW or IPF, but what is the current status on them?

Thanks all in advance and before starting flame-wars among the three platforms, remember that my post is:
  1. about firewall-platforms' status
  2. advising an "old-timer-FreeBSD-PF" guy as to what he should do with future firewall installations with respect to (1).

    Thanks all in advance, and peace! :)
 
mamalos said:
I am quite unsure as to which OS+firewall I should chose for my next firewall. Since I like PF, should I stop building routers based on FreeBSD and return to OpenBSD?
Click to expand...
I think the best person to answer that is you. Ask yourself, does PF on FreeBSD do what I want it to do, i.e. does it satisfy my requirements? Do I really need the new/additional features OpenBSD's PF provides? And, last but not least, if you have other FreeBSD servers, would it be easier to maintain by keeping everything the same, OS wise?
 
SirDice, I understand what you're saying, and generally I agree, but not having met any problems until now doesn't mean that I won't meet problems in the future with the choices I've made. E.g. the fact that my today's firewalls are only supporting IPv4, will have to change soon, and if IPv6 support is "somewhat-broken" in FreeBSD's PF implementation, then this affects my firewall choice. Moreover, if bugs in FreeBSD's PF are not going to get fixed (not only IPv6-specific) and I am just unaware of it, this doesn't mean that my installations are secure.
 
I've been using PF and IPv6 for a few years now and I haven't ran into an issue yet. But I also don't have a heavily stressed firewall. I do think any bugs in PF on FreeBSD will get fixed. Even if this means diverting even further from the "reference" OpenBSD versions. As for support, I think the best ones are IPFW and PF, IPFirewall is pretty much a dead-end. As far as I know there hasn't been any significant improvements or developments on IPFilter in years.

There may be some new bugs introduced in 10.x for PF due to the improved SMP support. But they'd never attempt an update like that if there wasn't a commitment to keep it supported.
 
One of the FreeBSD mailing lists had a discussion about this in the very recent past (maybe November, October at the earliest).

Going from memory:
  • IPFW is under the most active development, and getting new features on an almost weekly basis.
  • PF is at a crossroads and there's discussion and arguments around what to do with it (unfortunately, there's a lack of developers to do any of this work):
    • scrap all the SMP work, import the latest PF, run it as a single-threaded packet filter, and keep it up-to-date with OpenBSD PF
    • keep the current config file format, and just manually add the missing features
    • try to update PF to match the features and config file format from OpenBSD without breaking the SMP support and just support it as a complete fork from OpenBSD PF
  • Colin Percival and one or two other developers are working on IPF. Don't remember the details, but there were some commits from them recently.
I'll see if I can track down the mailing list thread about this.

Edit 1: If you head over to the freebsd-pf mailing list archives, there's several long threads in there about the future of PF. Granted, not all of them are useful discussions between actual coders ... but there's still lots of discussion. :)

Edit 2: Okay, so it was further back than I thought. The discussion occurred in July, and can be followed here.
 
phoenix, thank's for the mailing-list-discussion-link. I had read a similar discussion in the same list which wasn't that analytic.
 
You must log in or register to reply here.
Back
Top