IPF Why does IPF still exist?

cy@ said:
It is multi-threaded and has been for quite a few years.

pf was written by OpenBSD due to a licensing dispute with Darren Reed. IPF is BSD licensed for *BSD systems and GPL for non-BSD systems. But when the license was first changed (when he became a Sun employee) OpenBSD didn't ask questions. They simply replaced it with a rewrite.

We will not import any updated PF from OpenBSD. The OpenBSD version of PF is single threaded. FreeBSD has put in a lot of work to make PF multi-threaded. We cannot and will not undo that work by importing an updated PF from OpenBSD. FreeBSD is upstream for our PF. This was made abundantly clear in the mailing lists.


That is in my queue.
Click to expand...
I'm well aware that we're diverged from OpenBSDs pf, I'm just saying that at least I and the npf author is/was under the impression that ipf is not multi-threaded.
 
I do think that OpenBSD is worse for my personal uses, because of it's inferior performance in some cases, and that I use Nvidia. (I kinda know I already said this, but I just am sortof explaining one of the reasons I chose FBSD)
 
diizzy said:
I'm well aware that we're diverged from OpenBSDs pf, I'm just saying that at least I and the npf author is/was under the impression that ipf is not multi-threaded.
Click to expand...
Certain data structures are serialized (using IPF mutexes), just as other parts of the kernel do, but IPF itself does not serialize itself under one lock (i.e. only one execution thread). I don't know where that person got that from.

Back in the day it was believed that IPF was under GIANT. But that assumption was incorrect. It is multi-threaded under FreeBSD and Solaris.

BTW the FreeBSD IPF has been "virtualized" allowing VNET jails to control "their" IPF.

It's certainly multi-threaded.
 
fr0xk said:
FreeBSD is very similar to C++.

*runs & hides*

PS: I habitually use IPF, manual transmission, and a bicycle, and they all work for me
Click to expand...
C++ are dinosaurs of the past, the apparent new thing is rust.

I don't understand anything about firewalls, so there should be a basic graphical firewall application.
 
teo said:
I don't understand anything about firewalls, so there should be a basic graphical firewall application.
Click to expand...
There is a basic graphical firewall application built into Windows which is designed to be user-friendly. However if you understand nothing about firewalls I still don't recommend just guessing at things. Either learn how they work or pay an expert to do it for you (they will likely stick to the official config method though rather than random GUIs).

teo said:
C++ are dinosaurs of the past, the apparent new thing is rust.
Click to expand...
Just like the old ${BSD} is dead narrative. C++ will outlive us all. :beer:
 
teo said:
I don't understand anything about firewalls, so there should be a basic graphical firewall application.
Click to expand...
pfSense and OpnSense are two firewall products based on FreeBSD that have web based interfaces to configure. If all you need is a firewall/router then either of those work.

A generic GUI for creating firewall rules? What are you targeting, PF, IPF, IPFW, something else? There are probably a few on Linux that do iptables or ufw, maybe ask if they could be ported to BSD.

Personally, FreeBSD already has some good default configurations that just need minor tweaking in /etc/rc.conf (make sure it has local addresses etc).
 
RetroComputingCollector said:
Linus's bullshit about ZFS is hard to listen to
Click to expand...
Y'know, there are some conversations on the Forums about what was actually said and why. OpenZFS license is incompatible with GPL. And with the level of fame and money involved, concerns about lawsuits are legitimate in that arena. It may sound like bullshit to rank-and-file people like us, but that's only because we're not in position to really have such worries.
 
astyle said:
Y'know, there are some conversations on the Forums about what was actually said and why. OpenZFS license is incompatible with GPL. And with the level of fame and money involved, concerns about lawsuits are legitimate in that arena. It may sound like bullshit to rank-and-file people like us, but that's only because we're not in position to really have such worries.
Click to expand...
arstechnica.com

Linus Torvalds says “Don’t use ZFS”—but doesn’t seem to understand it

Linus should avoid authoritative statements about projects he’s unfamiliar with.
arstechnica.com arstechnica.com
 
astyle said:
Ah, more FUD. The article is pretty judgemental and opinionated. Not good journalism. 😩
Click to expand...
I've never liked Linus (he is a HUGE asshole) so I think that my confirmation bias may have picked this, but the GNU part of GNU/Linux was made by the biggest FUD spreaders in the open source community. That doesn't even mention their "confusing terms" article (you can feel the newspeak) and the belief that FreeBSD is bad because the ports "allows you to obtain proprietary software" Their definition of "Freedom™️" is completely orwellian. True freedom is allowing you to run and do whatever you want! Also, don't get me started about all of the paranoid nonsense they spread about the NSA. Just browse gnu.org for a few hours and you will stumble across it. The big problem isn't Linus, it's the FSF!
 
RetroComputingCollector said:
I've never liked Linus (he is a HUGE asshole) so I think that my confirmation bias may have picked this, but the GNU part of GNU/Linux was made by the biggest FUD spreaders in the open source community. That doesn't even mention their "confusing terms" article (you can feel the newspeak) and the belief that FreeBSD is bad because the ports "allows you to obtain proprietary software" Their definition of "Freedom™️" is completely orwellian. True freedom is allowing you to run and do whatever you want! Also, don't get me started about all of the paranoid nonsense they spread about the NSA. Just browse gnu.org for a few hours and you will stumble across it. The big problem isn't Linus, it's the FSF!
Click to expand...
Sometimes, you gotta be able to discuss things with a cool head, and be willing to actually put in an effort to understand why the other party took the position they did. Some people like command-line, others don't. Some people know enough about firewalls to be able to figure out sensible settings no matter which firewall they're using - and some know so little that they're better off leaving it alone. Some people drive on the left right side of the road, some on the right left (like in England and Australia). Some people are willing to put in the work it takes to set up a FreeBSD machine so that it is actually useful, and some people just shell out for an iPhone, and would rather let Apple manage it.

Y'know, I just love Roy Yamaguchi's restaurants (Google them). The guy is a fantastic cook, his $100 USD plates are well worth making a dinner reservation months in advance. But the guy himself uses an iPhone, which I'm not a fan of. So what. For him, making good dishes is a priority over computing. I don't care whether he's a fan of iPhone or Android, and have no judgement. Whatever helps him instead of getting in the way of cooking creativity. That's what it means to understand that other people have other priorities that may or may not line up with your ideals.

Edit: Had to correct myself about who drives on which side of the road.
 
Last edited:
astyle said:
Sometimes, you gotta be able to discuss things with a cool head, and be willing to actually put in an effort to understand why the other party took the position they did. Some people like command-line, others don't. Some people know enough about firewalls to be able to figure out sensible settings no matter which firewall they're using - and some know so little that they're better off leaving it alone. Some people drive on the left side of the road, some on the right (like in England and Australia). Some people are willing to put in the work it takes to set up a FreeBSD machine so that it is actually useful, and some people just shell out for an iPhone, and would rather let Apple manage it.

Y'know, I just love Roy Yamaguchi's restaurants (Google them). The guy is a fantastic cook, his $100 USD plates are well worth making a dinner reservation months in advance. But the guy himself uses an iPhone, which I'm not a fan of. So what. For him, making good dishes is a priority over computing. I don't care whether he's a fan of iPhone or Android, and have no judgement. Whatever helps him instead of getting in the way of cooking creativity. That's what it means to understand that other people have other priorities that may or may not line up with your ideals.
Click to expand...
Sorry, I just really get annoyed by RMS, and I did'nt mean anything against anyone else. If someone really likes Linux, then they can use it. Sure, I will be sad if someone abandons FreeBSD for GNU/Anything, but I do agree that they should be able to go their own way.
 
I recently found IPFilter useful. PF took using online documentation along with The Book of PF for me to set up. Maybe a week of learning. While, I may have gotten the configuration correct, I worried about dropped packets when using the stateful setting for some rules.

I use a canned configuration of FreeBSD's IPFW, allowing some rules through, all through rc.conf. You can find canned settings through /etc/rc.firewall. The settings to bypass specific rules are also described in that file. I've use a canned IPFW firewall with PF in the past, and will continue to use it in conjunction with another firewall.

IPF is convenient, for when I need an immediate block of a port, and I don't want to relearn PF, when I lost my old file. I view IPF as an extension of IPFW, even if the rules operate in different sequential orders.

PF is good, though, it has a structure involving different parts to it, or multiple sections which must all be understood. With IPF, I find the instructions for rule I need, and insert it.

Oddly, when I run kldstat, IPFilter being enabled shows up as ipl.ko, which ipl(4) is for packet logging.

I wrote a lot of this elsewhere, though, this is a thread about IPF, so I wrote about why I came around to it. I tried to learn about BSD firewalls through a book named BSD Toolbox, which I believe got information about IPF incorrect, that names may have been mislabeled. This may have caused confusion and frustration to me. Otherwise, aside from being Bash centric, great book.

The 3 firewalls themselves are very light: maybe 4MB total for all of them combined.
 
I believe that a few IllumOS distributions use IPFilter. It makes sense to have firewalls which have more widespread use across multiple operating systems. I let misconceptions and confusion about IPFilter affect my view about it earlier.
 
sidetone said:
I believe that a few IllumOS distributions use IPFilter. It makes sense to have firewalls which have more widespread use across multiple operating systems. I let misconceptions and confusion about IPFilter affect my view about it earlier.
Click to expand...
The IllumOS folks have expressed interest in replacing their IPF 4.2.8 with IPF 5.1.2 as we have done.

Having the same firewall software on multiple platforms is something I've done at $JOB - 1. I had a number of Solaris and FreeBSD systems behind firewalls that the firewall group (in a very large organization of 35K employees) did not want to maintain rules specific to my customer (the accounting department). So I developed a methodology to push out firewall rules using ipfmeta, makefiles, and rsync to the various machines in order to create a virtual firewall on the machines themselves -- without the help of the firewall group. Since FreeBSD and Solaris supported the same firewall software (IPF) the same ruleset was used and distributed to all machines.

My method was simple enough in that I also used CVS at the time to maintain a central repo of the firewall rules. It was documented such that the most junior member of my team could process customer firewall requests and push the rules out to all affected servers. Again, without the help of the firewall group, who didn't want to maintain rules for this particular group.
 
cy@ said:
The IllumOS folks have expressed interest in replacing their IPF 4.2.8 with IPF 5.1.2 as we have done.

Having the same firewall software on multiple platforms is something I've done at $JOB - 1. I had a number of Solaris and FreeBSD systems behind firewalls that the firewall group (in a very large organization of 35K employees) did not want to maintain rules specific to my customer (the accounting department). So I developed a methodology to push out firewall rules using ipfmeta, makefiles, and rsync to the various machines in order to create a virtual firewall on the machines themselves -- without the help of the firewall group. Since FreeBSD and Solaris supported the same firewall software (IPF) the same ruleset was used and distributed to all machines.

My method was simple enough in that I also used CVS at the time to maintain a central repo of the firewall rules. It was documented such that the most junior member of my team could process customer firewall requests and push the rules out to all affected servers. Again, without the help of the firewall group, who didn't want to maintain rules for this particular group.
Click to expand...
Yeah, having the same firewall software throughout the enterprise really helps, although that tends to boil down to Windows Firewall. I've seen my share of people who try to approach Linux/UNIX-based firewalls like Windows Firewall - and spending weeks trying to formulate rules for specific applications. They never realized that the order of filtering matters in a UNIX-based firewall, what needs to get filtered out first, second, third, etc., and why in that order.
 
You must log in or register to reply here.
Back
Top