rigoletto@
Developer
I never got why people do insist in using initramfs, that is not needed at all (just got the things more complicated) unless for some very specific software like plymouth.
. And the community is friendly and knowledgeable.
I would take slow over buggy, incorrect, full of security holes, and mostly undocumented (or inadequately documented) any day or night. I know FreeBSD is never going to use LibreSSL, vanilla OpenSSH, or God forbid updated version of PF due to the bad blood between the camps and I am at peace with it. However, I would never put FreeBSD machine as a perimeter firewall or such. My FreeBSD file servers in terms of security are treated just like Red Hat Linux (I don't have Windows machines). Means they need protection of OpenBSD servers to survive the Internet.
Are there any flaws with using a minimal FreeBSD + pf for such a gateway machine? I'm just about to create a firewall for my home (as a bhyve vm with two NICs assigned by PCI passthru, I planned to use them as a lagg(4) device with vlans on top) and if FreeBSD isn't suitable for that purpose, I could of course have this vm run OpenBSD ... anything I should read about that topic?
Depends on your risk averse level. Don't get me wrong there are people running ISP businesses of FreeBSD. Your lost me when you start taking about virtual machines and perimeter firewall. Virtual machines including OpenBSD's vmm and security are mutually exclusive concepts.
Bad news for all these cloud service providers then
Well, alright, that's a whole different level you're talking about if the possibility to break out of a VM is to be considered. Definitely makes sense for an enterprise network -- not so much for me at home So I guess I'll just stick to FreeBSD for simplicity. (I'm as bad as anyone else).
)
Seriously speaking, what the advantage of PF over IPFW?
I mean,I've always found IPFW so damn good,featured,understandable and easy to use that never felt the necessity to explore something else, outside DragonflyBSD's IPFW3 (which I sugesst you to check out if you haven't already
After having faced the nightmare of learning iptables because of the Void Linux Rpi3 server, I just came to the conclusion that IPFW/IPFW3 was the best I could get for both desktop and home server.
So my question (driven from curiosity and sincere interest) is: where does PF fare better than IPFW , in terms of security, performance, features, versatility, documentation, sintax,maintainance, integration wirh other base system utils like natd, or 3rd party siftware like squid, etc..?
Not quite what you wanted to hear. PF is the native package filter of the OpenBSD while IPFW is the native package filter of FreeBSD. PF on FreeBSD is (from my vintage point) obsolete, unmaintained and for all practical purpose a pseudo fork of real PF. However it is still widely used on FreeBSD by people like me who prefer it over IPFW due to familiarity and simplicity. Both product are very formidable, however only one of them PF is the package filter of OS X and Solaris 11 (traditionally Solaris package filter was Daren Reed's IPFilter which is still available on FreeBSD and used by Juniper networks).
