Other Opinions on firewall builder

[Phishfry]

I have been messing with firewall builder and besides its QT dependencies I really like it.
security/fwbuilder/
Not being a firwall guy, how would you rate this software? It works with many software firewalls.
Is it complete garbage or is it good for new firewall users?
Rules can be complex and it's nice to have assistance. Is this software OK?
The last release was a while ago and the project has disbanded. But rules are rules right?

 

[Oko]

Garbage! The best pF firewall builder is nvi editor.

 

[Phishfry]

You funny guy. nvi =vim
I want to ditch pfSense one day and I need help.
What pf book do you recommend?
I just bought The Book of PF by Peter Hansteen. 2007
Will it work with FreeBSD?

 

[scottro]

Much of it will still be quite valuable. FreeBSD's pf lags behind OpenBSD's. Especially when starting, the simple, sometimes dated versions, assuming the syntax hasn't changed, can be useful. I still refer to my own pf page, which (way back in the double aughts, Mr. Hansteen complimented, though he may have just been being polite) as so many of the basic principles are the same.

A lot of times, the changes are aimed towards more sophisticated use of pf (or any other firewall), but it's always useful, obviously, to get a handle on the basics.

Here's my own, dated, but still liked by me, (duh) pf page. http://srobb.net/pf.html

 

[ShelLuser]

I agree with Oko though, I'd never rely on software which can fully automatically set up security features for you, and I'm also tempted to label those garbage by definition. The reason I'm not a fan is because of the huge risks attached.

Security begins with an understanding of the underlying mechanisms involved. How do you expect to be secure if you're not even sure that the firewall generated actually works? Another problem I have is that you'll be relying on the expertise of the programmer(s). When something isn't entirely right you'll be feeling the effects of that. For example: sometimes things do change within firewalls, and if your building software isn't being updated you may even run into security risks.

Easily solved if you'd understand the firewall syntax, but you might just have turned this into a huge burden if you're only relying on abstract frontends. In this particular case they seem to be abstracting the whole setup as well, probably so that they can cater to all different firewall types at once. But that also means that even if you understand fwbuilder's syntax then this doesn't have to imply that you'll understand how the underlying firewall mechanics work. So when something goes wrong: good luck to you.

When it comes to security then easier isn't always better.

 

[Oko]

You funny guy. nvi =vim
I want to ditch pfSense one day and I need help.
What pf book do you recommend?
I just bought The Book of PF by Peter Hansteen. 2007
Will it work with FreeBSD?

nvi is not the same as vim.
http://galexander.org/vim_sucks.html

FreeBSD version of PF is 6-7 year old. PF was more or less rewritten in the mean time. Obsolete syntax of FreeBSD version is the least of problems. Peter regularly updates his PF notes (the next 4th edition of The book of PF)for each BSD conference where he gives workshop (I attended the one in Ottawa 2 years ago) Unfortunately even 2 day workshop is not enough to go over all the material he has.

https://www.openbsd.org/faq/pf/

Is a very good start. You can use OS X like other FreeBSD developers to play with PF. It has a very recent version of PF.

 

[Deleted member 30996]

How do you expect to be secure if you're not even sure that the firewall generated actually works?

It can happen...and already did.

https://www.wilderssecurity.com/thr...e-firewall-manager-breaks-pf-firewall.324417/

It seems the PC-BD forums no longer exist and now redirect to the TrueOS forums, but I state the same facts I presented in the PC-BSD forums to make the case of pf being broken from my posts at Wilders. That hasn't been wiped from history and I have an excellent memory. Though my programming was seemingly brought into question recently.

Nobody using Isotope 9.0 had a working firewall, and that is when they had just started talking about using it as a server. Nobody seemed to comprehend, or care about, the gravity of the situation, spoke up in protest of it not being addressed to fix for people using it, or to confirm my presentation of facts.

Staff or forum members.

Tech orientated as they might have been or thought themselves, the silence was deafening and I awaited a response... When a new member stated he was considering deploying it as server, I could no longer remain silent and am anything but passive-aggressive when I make a case.

Dru Lavigne finally responded to one of my threads in a very polite manner to confirm it, and I expand on the details in my link.

I made two threads because of the importance and lack of response so it would not be overlooked. The other was replied to after that by Ken Moore. I had more than my fill of PC-BSD and it's politics by that time, and switched to FreeBSD.

I've mentioned it before a couple times, but it could have been a disregarded as a glitch, ramblings, rants, or a part of history best forgotten by some. Now it is a matter of public record here for FreeBSD and TrueOS users alike.

 

[Kristof Provost]

FreeBSD version of PF is 6-7 year old.

That's not strictly true. It has indeed been a long time since there's been a bulk import from OpenBSD, but pf is maintained and supported in FreeBSD. It has a number of features in FreeBSD which don't exist in OpenBSD. VIMAGE support for example, as well as more sophisticated locking, which translates into greater throughput on multi-core machines.

PF was more or less rewritten in the mean time.

There's certainly been a lot of activity on it in both OpenBSD and FreeBSD. I don't think I'd call it a rewrite, based on what I see in the OpenBSD code. There's still a lot of similarity, and some patches can be imported without significant change.

Obsolete syntax of FreeBSD version is the least of problems.

What specific problems do you have with FreeBSD pf?

 

[fernandel]

I have been messing with firewall builder and besides its QT dependencies I really like it.
security/fwbuilder/
Not being a firwall guy, how would you rate this software? It works with many software firewalls.
Is it complete garbage or is it good for new firewall users?
Rules can be complex and it's nice to have assistance. Is this software OK?
The last release was a while ago and the project has disbanded. But rules are rules right?

In the Dru Lavigne's book "BSD HACKS" she describe security/fwbuilder.

BTW: A book is a little old

 

[Oko]

That's not strictly true. It has indeed been a long time since there's been a bulk import from OpenBSD, but pf is maintained and supported in FreeBSD. It has a number of features in FreeBSD which don't exist in OpenBSD. VIMAGE support for example, as well as more sophisticated locking, which translates into greater throughput on multi-core machines.

Thankfully these days sources trees are public so anyone can decide for herself/himself what is the truth. I will repeat FreeBSD version of PF is ancient and obsolete and you guys fought many holy wars on freebsd-pf mailing list over that. While I concur that PF code is not meant to be as portable as OpenSSH (which has two versions one internal OpenBSD version and one portable more complicated for everyone else) that doesn't mean that PF can't be updated. Solaris 11.4 and OS X have pretty darn updated version of PF. That Russian Solaris developer made a major contribution to unlock multi-threading on modern OpenBSD version of PF. OpenBSD network stack is not 100% SMP safe unlocked but the problems with Intel chips demonstrated that Theo outsmarted you one more time.

Please don't give me that crap about FreeBSD features. There are 2-3 SMP related sacred patches by few FreeBSD elders which nobody is allowed to touch so what you have there is a dead code. Show me the FreeBSD fork of PF! If you don't have one you need to follow upstream. OpenBSD guys didn't like OpenSSL. Guess what we have the fork called LibreSSL. You don't like them so FreeBSD will stick with OpenSSL or rather wait for BearSSL to be written from the scratch instead of importing LibreSSL.

There were multiple things which were always broken on FreeBSD version of PF (I am not talking about syntax/grammar only). Queuing never worked on FreeBSD even when though ancient ALTQ came out of FreeBSD. It actually only worked well on OpenBSD. OpenBSD's PF comes with its own queuing for number of years now.

For starters you could at least bring OpenSSH up to date and remove those bullshit patches for "backward" compatibility. Oh we are not allowed to do that because it serves certain corporate interests.

There's certainly been a lot of activity on it in both OpenBSD and FreeBSD. I don't think I'd call it a rewrite, based on what I see in the OpenBSD code. There's still a lot of similarity, and some patches can be imported without significant change.

Show me the FreeBSD fork of PF! I have not seeing one so far so lets drop that PR bullshit. Henning has offered multiple times to help you out with updating PF (both in a sober and in a drunk state) and you guys have rejected it. Face it. You are stuck with an ancient sudo-fork of PF which people like my self turn on more out of habit than out of usefulness. I refuse to touch IPFW so what else can I do?

What specific problems do you have with FreeBSD pf?

I don't. I use OpenBSD machines to firewall of my FreeBSD storage servers just like I do with my RHEL and Windows 2008 servers.

 

[Kristof Provost]

Thankfully these days sources trees are public so anyone can decide for herself/himself what is the truth. I will repeat FreeBSD version of PF is ancient and obsolete and you guys fought many holy wars on freebsd-pf mailing list over that. While I concur that PF code is not meant to be as portable as OpenSSH (which has two versions one internal OpenBSD version and one portable more complicated for everyone else) that doesn't mean that PF can't be updated. Solaris 11.4 and OS X have pretty darn updated version of PF. That Russian Solaris developer made a major contribution to unlock multi-threading on modern OpenBSD version of PF. OpenBSD network stack is not 100% SMP safe unlocked but the problems with Intel chips demonstrated that.

I've looked at the OpenBSD tree, and right now the OpenBSD pf is still single threaded. They use a single PF_LOCK() to lock the entire firewall, so it's still functionally single-threaded. The FreeBSD version is different, and significantly more performant over multiple core.
Sadly I can't find the benchmark I'd found of OpenBSD pf, but my recollection is that (on a sufficiently large multicore system) the performance difference is roughly 10x.

There are 2-3 SMP related sacred patches by few FreeBSD elders which nobody is allowed to touch so what you have there is a dead code.

That is simply false. glebius@ did most of the multicore work for FreeBSD pf and he's never once told me I was not allowed to touch this code. He's given me feedback on patches, as anyone can and does, but I've never been told not to touch his code. The evidence for this is plain to see in the version history and mailing lists.

Show me the FreeBSD fork of PF!

It lives here. I'm unsure why you think there's no FreeBSD pf, or what you're getting at. Again: FreeBSD pf is indeed based on an import from OpenBSD many years ago, but it is in no way unmaintained or abandonned.

 

[Oko]

I've looked at the OpenBSD tree, and right now the OpenBSD pf is still single threaded. They use a single PF_LOCK() to lock the entire firewall, so it's still functionally single-threaded. The FreeBSD version is different, and significantly more performant over multiple core.
Sadly I can't find the benchmark I'd found of OpenBSD pf, but my recollection is that (on a sufficiently large multicore system) the performance difference is roughly 10x.

So what if it is still functionally single threaded? Who gives a fuck for your better performance if the FreeBSD perimeter firewall is full of zero-day exploits? If I need to push packets 40 or 100 Gigabit per per second I will not be using FreeBSD or any OS for that mater anyway. Passing network packets through kernel can never be as fast as using backplanes on Cisco or Juniper (proprietary fork of FreeBSD 4.xxx with IPFilter) switches. Here Jim (whom I can't stand) of pFsense (NetGear) explains in the layman's terms


Do you realize that Theo just turned off hyper-threading support? The inspiration actually came out of Matt Dillon's patch for DF.

https://undeadly.org/cgi?action=article;sid=20180620110722

I just replaced my atom based home firewall with Ubiquiti edge lite (running OpenBSD octeon of course). That is how much I trust Intel. Jim is switching pFsense to Cisco code. pFsense is no longer FreeBSD based.
Theo told you at the BSDCan 2018 that he could care less about performance

Just to make sure those profanities are coming out of the mouth of a FreeBSD security officer while former FreeBSD security officer Colin Percival wrote an exploit essentially during the Theo's talk. You people don't get it, don't you? There are people who put the pride is security and privacy.

At work I am stuck with 10 Gigabit

https://www.ebay.com/itm/Supermicro...C-256GB-SSD-/112355648202?hash=item1a28eb22ca

waiting for ARM gear to catch up.


I profoundly dislike the tone of your post. You sound like there is an actual fork of PF. There is NO fork of PF for now. You can fork it now just like you could fork it 5 years ago if you didn't like it as the code is BSD licensed. No guys, you chose to stick with pseudo-fork and that BS about SMP performance. That is were I draw the line. This is my last post in this thread.

 

[Kristof Provost]

So what if it is still functionally single threaded? Who gives a fuck for your better performance if the FreeBSD perimeter firewall is full of zero-day exploits?

Citation needed. You may assert that there are zero day exploits (and it's certainly possible that there are bugs, no code is perfect), but you do need to bring more than just the plain assertion.

If I need to push packets 40 or 100 Gigabit per per second I will not be using FreeBSD or any OS for that mater anyway.

While it's certainly true that you're more likely to get higher throughput out of a dedicated hardware solution there are still use cases for pure software routers and firewalls.

It's also entirely valid for you to say you don't care about performance. Different users will have different priorities. I'm personally aware of users who do care very much, and who do want the performance FreeBSD pf offers.

I profoundly dislike the tone of your post. You sound like there is an actual for of PF. There is NO fork of PF for now. You can fork it now just like you could fork it 5 years ago. No guys, you chose to stick with pseudo-fork and that BS about SMP performance. That is were I draw the line.

Yes, there is a fork of pf. There are changes in FreeBSD pf which are not in OpenBSD pf (and vice versa, of course). I fail to see how that's not a fork. There are multiple different versions of pf. There's one in OpenBSD, one in FreeBSD, one in NetBSD, in Dragonfly and in OS X/iOS. This is great, even if they're not all at the same version.

To be entirely honest, I'm not inclined to continue this discussion either. I've made my point of view clear and I don't think much can be accomplished by continuing this. Readers may draw their own conclusions.

 

[Beastie7]

I profoundly dislike the tone of your post.

Pot calling the kettle black?

Oko: Inconsistent, tangential arguments, and hostile language. How is this person not banned yet?

 

[Sensucht94]

Garbage! The best pF firewall builder is nvi editor.

And let's not forget nvi2 forked off DragonflyBSD's vi(1)

 

[Chris_H]

I'd have to say I'm pretty close to being in the same boat as ShelLuser on this.
IMHO if I can't see, nor understand what's going on in the background with the "builder" I'm even less likely to understand what's going on with the filter!
Granted, taking in the entire pf.conf(5) man page is overwhelming when first approached. Oh, and all the "how tos", which can't be relied upon. Because thier written by people that are on different platforms, and using different versions. Ultimately they do more harm (for new users) than good. There are exceptions, of course. But if you're just starting. How are you to know? But if I were just beginning. I'd hand craft my filter a little at a time. Then examining the results. Then adding, and honing as I went along. Until things worked as I intended. I guess I pretty much started in this same fashion, when I first started with pf(4).
About performance. I'd have to say, from my own experience. The FreeBSD version is pretty performant.
Proof? Sure. One of my boxes became a popular target a few months ago. I was forced to step up my pf(4) skills, as well as my scripting skills to cope with it, and get ahead of it. As it stands now; I (pf) manages several tables, totalling some 30 million (abusive) IP addresses. Impressively; it manages those on a 3 core AMD w/4GB RAM. As well as all the other services that box manages.
IMHO that's pretty damn performant. No?

Anyway. You asked, Phishfry . So there's my 2¢ worth.. well, maybe 5¢

--Chris