move to OpenBSD from FreeBSD

[wolffnx]

I have forced to move my firewall to OpenBSD because the FreeBSD version of PF doesn't support the divert-reply function. The reason is I want to make a L7 PF firewall.

The transition will be too hard? Is there many differences between OpenBSD and FreeBSD for my needs?

 

[SirDice]

If I remember correctly FreeBSD's PF is based on PF from OpenBSD 4.5.

 

[wolffnx]

I don't want to move on to OpenBSD (only for my firewall) but when I use the rule in PF. I get

divert-reply has no meaning in FreeBSD pf(4)

.

 

[SirDice]

It's unlikely any of the additions to OpenBSD's PF after 4.5 are implemented on FreeBSD.

 

[wolffnx]

Well, I downloaded and installed the latest OpenBSD ,
the installer was a little confusing compared to the FreeBSD one, but no problem at all
boot...
And in 5 to 7 minutes I have a functional gateway with PF, the network configuration was too easy.

I have some troubles with the path names and the way to config the interfaces but nothing too difficult.

I miss ZFS ...
Slow boot(userland), need tunning without disable the security features
No need for X, the console font is toooo nice to read

So, is good for a server but not for a desktop in my opinion

Forgot,the shutdown and reboot are fast compared to FreeBSD (for the file system used by OpenBSD I think)

 

[olli@]

Not sure what divert-reply should be good for in PF, but IPFW has several divert features. So if you’re willing to switch from PF to IPFW, that might be an option if you prefer to stay with FreeBSD.

 

[VladiBG]

ConfigExamples/Intercept/FreeBsdPf - Squid Web Proxy Wiki

wiki.squid-cache.org

 

[SirDice]

No need for X, the console font is toooo nice to read

If I'm correct they're using the Terminus font. There are instructions on the Newcons wiki page how to convert the font for vt(4). I'm using x11-fonts/terminus-font with X. It's a very nice font indeed, especially for code or shells.

 

[wolffnx]

Not sure what divert-reply should be good for in PF, but IPFW has several divert features. So if you’re willing to switch from PF to IPFW, that might be an option if you prefer to stay with FreeBSD.

for capture a package, send it to an
application for example Snort and
get it back
for make a layer7 firewall
there are few against it, because
make the packets travel to the userspace to reaching Snort

 

[wolffnx]

If I'm correct they're using the Terminus font. There are instructions on the Newcons wiki page how to convert the font for vt(4). I'm using x11-fonts/terminus-font with X. It's a very nice font indeed, especially for code or shells.

Good tip, definitely my FreeBSD consoles need that

 

[richardtoohey2]

OpenBSD is good (I use it for firewalls and desktop.) FreeBSD seems a bit stronger for performant web serving and MySQL database. Not yet tried FreeBSD desktop.

They're both great - not perfect, but then nothing is.

The latest OpenBSDs use the Spleen font - I think that's what the OP is talking about. https://undeadly.org/cgi?action=article;sid=20190110064857

I don't think pf does layer 7 processing, though? Regardless of OS.

 

[wolffnx]

I don't think pf does layer 7 processing, though? Regardless of OS.

you rigth, PF itself not, but with divert and divert-reply you can analize the traffic with an external application
like snort and send it back to PF
with a mark
I never do this,but in teory works

 

[olli@]

you rigth, PF itself not, but with divert and divert-reply you can analize the traffic with an external application

Well, that’s exactly what the divert feature of FreeBSD’s IPFW does. I’ve used this feature before, it works. See the ipfw(4) manual page for an overview of the kernel module, and the ipfw(8) manual page for details on the features and the syntax.

Note that the syntax and handling of IPFW rules is quite different from PF, so you would have to rewrite your rule sets completely. On the other hand, IPFW has quite a lot of features that PF doesn’t have, and that allow to do very clever and efficient things.

For example, IPFW rules are numbered (like line numbers in a BASIC program), and you can jump to other rules at any time, depending on conditions (like “if … goto …” in certain programming languages). Also, you can call a set of rules like a subroutine. And rules can be grouped together in so-called “sets” that can be enabled or disabled as a whole, among other things. These features enable you to structure your rules nicely.

 

[hruodr]

I miss ZFS ...

I moved my desktop from OpenBSD to FreeBSD only because I wanted ZFS for archiving purposes.

Now I am thinking on other solution. It is much easier to deal with OpenBSD than with FreeBSD.

 

[wolffnx]

Well, that’s exactly what the divert feature of FreeBSD’s IPFW does. I’ve used this feature before, it works. See the ipfw(4) manual page for an overview of the kernel module, and the ipfw(8) manual page for details on the features and the syntax.

I dont know it..when I start using FreeBSD I choise PF and now I feel like in home, before start learning OpenBSD I will give a try to IPWF
in the man page(I read it from above without enter in too much detail)

diverted            Matches only packets generated by a divert socket.
diverted-loopback    Matches only packets coming from a divert socket back into the IP stack input for delivery.
diverted-output       Matches only packets going from a divert socket back outward to the IP stack output for delivery.

with divert send out the packets to an application and with one of those 3 options get it back to procesing
in IPFW?

Note that the syntax and handling of IPFW rules is quite different from PF, so you would have to rewrite your rule sets completely. On the other hand, IPFW has quite a lot of features that PF doesn’t have, and that allow to do very clever and efficient things.

For example, IPFW rules are numbered (like line numbers in a BASIC program), and you can jump to other rules at any time, depending on conditions (like “if … goto …” in certain programming languages). Also, you can call a set of rules like a subroutine. And rules can be grouped together in so-called “sets” that can be enabled or disabled as a whole, among other things. These features enable you to structure your rules nicely.

yes, some time ago I use it for basic testings, mi idea now is to make someting like a IDS between the
firewall and the lan , for L7 filtering from the lan and some IDS features

 

[wolffnx]

I moved my desktop from OpenBSD to FreeBSD only because I wanted ZFS for archiving purposes.

Now I am thinking on other solution. It is much easier to deal with OpenBSD than with FreeBSD.

For backup the system for example,what do you do?
a manual backup of system of essential files and dir? , like using UFS?

 

[Sevendogsbsd]

I moved my desktop from OpenBSD to FreeBSD only because I wanted ZFS for archiving purposes.

Now I am thinking on other solution. It is much easier to deal with OpenBSD than with FreeBSD.

I had exactly the opposite experience: OpenBSD performance was terrible and the installer was confusing and overly complex. FreeBSD in my opinion, performs far better on the desktop and the installer is very simple. Configuring FreeBSD is also very simple for my use case. I will caveat this statement by saying I tried OpenBSD for about 30 minutes; the time it took me to install and login to the desktop, and then dumped it. I also have some fairly demanding 4K video hardware so I think OpenBSD was not designed for or optimized for this at all, while FreeBSD runs very fast.

 

[olli@]

in the man page(I read it from above without enter in too much detail)

diverted            Matches only packets generated by a divert socket.
diverted-loopback    Matches only packets coming from a divert socket back into the IP stack input for delivery.
diverted-output       Matches only packets going from a divert socket back outward to the IP stack output for delivery.

with divert send out the packets to an application and with one of those 3 options get it back to procesing
in IPFW?

The three diverted* options that you quoted are only for matching. That is, if you want to make actions depend on the fact whether a packet was diverted or not.

To actually divert a packet, you use the divert action. By default, when the application sends the packet back, it continues to be handled by the next rule (numerically). This behaviour can be changed by the application if desired, i.e. the application can specify the rule number when sending the packet back to IPFW. It may also decide to not send the packet back at all – this is useful for applications that want to monitor the packets only, but not modify them.

The divert mechanism is documented in the divert(4) manual page.

Alternatively, packets can also be forwarded to a local port (TCP or UDP), using IPFW’s “forward” or “fwd” action. This is used by Squid, for example, to implement a transparent proxy that intercepts all HTTP traffic.

 

[hruodr]

a manual backup of system of essential files and dir?

More or less that. I do not need much. Only to keep files many years, perhaps tens of years.

I have FreeBSD on a 2.5'' Hard disk on which I work. I can put this HD in my very silent
desktop or in my "safe", a computer with two 3.5'' ZFS formated disks as mirrors that
keep important files.

I transfer from the working HD to the mirror HDs with rsync. No networking, no
two computers working at the same time, just making from time to time my backup. That
simple. Of course there are a lot of sophisticated posibilities that I wanted to avoid for one or
other reason.

The reason of using ZFS, namely FreeBSD, is: (1) safe healing features, (2) file System that run
in many OS and probably will live a lot of years.

 

[hruodr]

I had exactly the opposite experience: OpenBSD performance was terrible and the installer was confusing and overly complex.

Yes, it seems the performance is not the best, but it is very stable, more than FreeBSD. The
probability that FreeBSD hangs is much higher.

And the installer is by far much better and well thought than FreeBSDs installer. Very simple
to use and requires few resources. It is very flexible if you want to do non standard things.
It allows you to install OpenBSD in old hardware without any problem. In less than 20 minutes
you install OpenBSD, with FreeBSD you get strange problems and takes a lot of time.

 

[Sevendogsbsd]

Not my experience at all: I found the OpenBSD installer to be terrible: hard to use, confusing and convoluted. I have never had a hang or crash on FreeBSD in several years of use. I have had apps core dump on FreeBSD though. My FreeBSD install takes about 7 minutes. My configs take a few more to copy over and I have a fully functional FreeBSD desktop in under 1 hour. I would never use or recommend OpenBSD based on my experience but that is MY experience.

 

[hruodr]

For backup the system for example,what do you do?

I must complete my above answer: I do not backup the system. I have absolutely no interest
in backupping the system. Only files, directories of my own, as I described above.

Hard to use, confusing and convoluted, Sevendogsbsd, only because you do not know it as
good as the FreeBSD installer. As said: it is exactly the opposite as that.

 

[wolffnx]

for the original post , one question:

if I made this topology:

Internet->PF->SNORT->LAN and viceversa

Snort can drop or accept packages not?

 

[olli@]

Hard to use, confusing and convoluted, Sevendogsbsd, only because you do not know it as
good as the FreeBSD installer. As said: it is exactly the opposite as that.

I ran OpenBSD for several years on an Alpha workstation. It was awful. Sevendogbsd is right.

And probably the worst thing about it was the hostile and impolite OpenBSD team. Worst open source community experience ever. FreeBSD is so much better.

 

[Sevendogsbsd]

Hard to use, confusing and convoluted, Sevendogsbsd, only because you do not know it as
good as the FreeBSD installer. As said: it is exactly the opposite as that.

Correct, I only used it once, but I found to be unintuitive. Your experience is your opinion, as is mine. You can't state an opinion as an absolute.