Other Why FreeBSD has three firewalls?

Mr_Dragon

New Member


Messages: 10

I'm curious why FreeBSD has three firewalls. I mean pf, ipfw and ipfilter. It's against the KISS rule. As sysadmin, I'll have to learn three different firewalls than focus on the one iptables as in Linux. Isn't one firewall in FreeBSD enough?

PS. If I have posted this topic in the wrong forum, please move it.
 

drhowarddrfine

Son of Beastie

Reaction score: 1,141
Messages: 3,091

Because FreeBSD doesn't dictate what you will use like Linux does and gives you the choice to use which one you want to use. You don't need to learn three firewalls, just the one you want.
 

pyret

Member

Reaction score: 54
Messages: 86

IPFW first appeared in 2.0 and is FreeBSD's native firewall.
IPF was available in 2.2.
PF first appeared in 5.0.

Why do you think you need to learn all three? If you are the sysadmin, it would be your decision on which to use.

PF has diverged greatly from OpenBSD who constantly change it, along with syntax and it has been developed to better handle multi-core processors on FreeBSD.

Each have their preference of which to use. I started using ipfilter on FreeBSD, then turned to OpenBSD using PF until that machine died and OpenBSD was using a new syntax that I didn't want to relearn, so I returned to running ipfilter on FreeBSD. I have also thought of moving my firewall to SmartOS and it uses ipfilter too, so I can use the same rules. SmartOS also has fwadm which is their own firewall for VM's.

Now if I was running everything on Plan 9, then I'd just hookup my cable modem to a Plan 9 CPU machine and have a separate Plan 9 auth server, import the external interface from the CPU server onto the internal machines and nothing could get in, but all traffic could get out. No NAT is necessary. But I need access to the internet for my Windows machine and TV so I can watch Hulu and Netflix. So Plan 9 as my proxy out won't work. But they could bang on it all day and everything inside would be secure.

Then again, maybe I can use OS/2 as my firewall since it has built-in NAT and TCP/IP filtering. Or perhaps use OS/2 with the Injoy firewall.

Solaris 11.3 offers a ported PF and also still has ipfilter.

Does iptables do stateful inspection? It didn't used to unless they changed that. Not sure why you have to invoke Linux, because your question didn't require the reference.

As I said, everyone has their reason for which they choose, and what they choose to run it on, and more options usually isn't a bad thing.
 

ShelLuser

Son of Beastie

Reaction score: 1,702
Messages: 3,514

And in addition to the above...

I'm curious why FreeBSD has three firewalls.
This is just my take on it but: "To make it easier to use FreeBSD when you're already used to another Unix-like system.".

I mean pf, ipfw and ipfilter. It's against the KISS rule.
Actually it's in full compliance, I'd even argue that it actually honors the rule because it's a lot more work for the developers to maintain 3 different firewalls while it can really help people to migrate to (or simply maintain) FreeBSD. I speak from personal experience; I've used ipfilter for many years on Sun Solaris and when I eventually made the jump to FreeBSD I could rely on one solid assurance: no matter how much I might mess up my systems local security, I could always count on my firewall to keep out all bad stuff. Because I didn't have to re-learn anything.

As sysadmin, I'll have to learn three different firewalls than focus on the one iptables as in Linux. Isn't one firewall in FreeBSD enough?
Do yourself a favor: next time you criticize something try to make sure you actually know what you're talking about?

In this case: check up on Chapter 30 of the FreeBSD handbook:

FreeBSD provides multiple firewalls in order to meet the different requirements and preferences for a wide variety of users. Each user should evaluate which firewall best meets their needs.
.

It even answered your original question.
 

sidetone

Daemon

Reaction score: 383
Messages: 1,060

FreeBSD definitely needs IPFW and PF. These two can be used together without problem (IPFW for a quick canned firewall, and PF for more customization). PF has documentation and a reputation from OpenBSD. IPFW is FreeBSD's native firewall with different strengths.

There was talk about removing IPF from a future FreeBSD release. It was in, because Juniper contributed to FreeBSD. There aren't many threads about IPF, but it should be a choice, even if through ports (maybe baseports). My src.conf leaves IPF out. In one way, I think firewalls in base should be limited to two for simplicity, but in another sense, I believe that IPF shouldn't be left out of base.

There's two things that confused me in the past, that the names have a combination of P and F, and if I'm not mistaken, the book BSD Toolbox, had an error in it about turning on firewalls through rc.conf. Setting it up according to that book didn't work, it worked without a hitch setting it up after analyzing information from different resources.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,278
Messages: 29,707

IPF(ilter) is being fixed, cleaned and/or updated. Can't remember the details but noticed a bunch of commits on 12.0-STABLE for it.
 

olli@

Well-Known Member
Developer

Reaction score: 276
Messages: 315

As others have mentioned, you don't have to learn all three firewalls. In most cases you use just one of them (although it is possible to combine them). It's your choice.

IPFW is FreeBSD's native firewall. It had support for some FreeBSD features before the others did (e.g. filtering by jail).
IPF is a portable firewall. It was very popular on Solaris, for example, so it was convenient for people coming from Solaris to FreeBSD.
PF was developed by OpenBSD, based on IPF, so it they have some similarities.

Personally I prefer IPFW because it has some features that the other's don't have. Also, I like the way rules are organized with numbers (like good old BASIC), so you can easily insert new rules between existing ones, and you can jump between them like in a script or programming language, have common blocks accessed from multiple rules, and so on. The traffic shaping feature of IPFW is very powerful, too.
 

pleomati

New Member


Messages: 3

There are many configs out there so no need to learn all three firewalls only some basic elements and a configuration you can find somewhere ,i.e.
Code:
ext_if="em0" # change to your network interface name

service_ports="{ 22, 25, 80, 53,  443, 3306, 8080 }"
application_ports="{ 8332, 8333, 6688, 6689, 55001 } # change to ports which is needed by your apps
table <trusted_hosts> const { my.ip.one.address, my.ip.two.adress, 8.8.8.8, 8.8.8.4 } # change my ip adress to your ip adress
table <abusive_hosts>

# options
set block-policy drop
set loginterface $ext_if
set skip on lo

scrub on $ext_if reassemble tcp no-df random-id

antispoof quick for { lo0 $ext_if }

block in

pass out all keep state
pass out on $ext_if all modulate state

pass in quick from <trusted_hosts>
block in quick from <abusive_hosts>

pass in inet proto icmp all icmp-type echoreq

pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 25/5, overload <abusive_hosts> flush)

pass in on $ext_if proto {tcp,udp} to any port $application_ports flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 25/5, overload <abusive_hosts> flush)

##ban some ip :: pfctl -t abusive_hosts -T add 8.8.8.8
##remove ban  :: pfctl -t abusive_hosts -T delete 8.8.8.8
##remove all banned ips :: pfctl -t abusive_hosts -T  flush
 

BSD User

Member

Reaction score: 11
Messages: 21

It’s always good to have a choice, even Mac OS X includes 2 firewalls: PF & Application Firewall :)
 

cy@

Member
Developer

Reaction score: 4
Messages: 22

FreeBSD definitely needs IPFW and PF. These two can be used together without problem (IPFW for a quick canned firewall, and PF for more customization). PF has documentation and a reputation from OpenBSD. IPFW is FreeBSD's native firewall with different strengths.
I've used all three together.

It used to be best practice to use two different firewalls back to back (however this has fallen out of favour over the years). You can do that in a "virtual" sense on one FreeBSD firewall.
 

linux->bsd

Active Member

Reaction score: 62
Messages: 162

I'm curious why FreeBSD has three firewalls.
Because Freedom. And as others have said: what makes you think you need to learn all three? Pick one and run with it. Since you like iptables so much, go with ipfw(). Was my firewall of choice when I switched to BSD because it feels very similar to iptables.
 

Trihexagonal

Daemon

Reaction score: 847
Messages: 1,465

I've always used pf with BSD and am familiar with the syntax. I have FreeBSD and OpenBSD machines and use the same ruleset on both with only a minor change in syntax to the OpenBSD eggress rule.

It's a matter of personal preference and confidence in pf.
 

drhowarddrfine

Son of Beastie

Reaction score: 1,141
Messages: 3,091

Because some people run Windows in VirtualBox or bhyve and they need all three at the same time.
 

youngunix

Active Member

Reaction score: 37
Messages: 223

Because FreeBSD doesn't dictate what you will use like Linux does and gives you the choice to use which one you want to use. You don't need to learn three firewalls, just the one you want.
Does Linux dictate what software you port to it?
You are welcome to port to Linux whatever your heart desires.
 

unitrunker

Active Member

Reaction score: 47
Messages: 108

The OP's question is misleading. It implies Linux has only one firewall - which is not true. The premise to this entire thread is nonsense. To those of you not yet old enough to have children of your own, imagine (some day) driving your child to school. Your kid asks questions about the world around them. Why this? Why that? All answers lead to more questions. At some point you must let them be to discover their own answers.
 

drhowarddrfine

Son of Beastie

Reaction score: 1,141
Messages: 3,091

youngunix Almost all Linux distros come with a complete desktop operating system with packages for such usage pre-installed. If you don't want to use all that, you must install your own and should uninstall the rest. FreeBSD does not do that.
 

youngunix

Active Member

Reaction score: 37
Messages: 223

youngunix Almost all Linux distros come with a complete desktop operating system with packages for such usage pre-installed. If you don't want to use all that, you must install your own and should uninstall the rest. FreeBSD does not do that.
The important thing is freedom of choice. You have OSes based on FreeBSD that ship with a lot of blob too but some of us choose to customize their own from scratch using FreeBSD! Same with Linux distros, you have Arch Linux, Gentoo and the likes that lets the user choose what they want/need on their systems.
You are either a cow that likes to just stand there and get fed blob or a wolf that goes for that lean, mean system setup!
 

drhowarddrfine

Son of Beastie

Reaction score: 1,141
Messages: 3,091

Same with Linux distros
No, it's not the same. While you can use Arch and Gentoo and make custom installations on Linux, the vast majority of distros--thousands--come pre-installed with desktops and office tools and browsers. But Arch and Gentoo are not typical installations for an average Linux user and neither is FreeBSD a typical installation for average users.
You have OSes based on FreeBSD that ship with a lot of blob too but some of us choose to customize their own from scratch using FreeBSD!
No, you have a very few--maybe three--pre-built packages that are FreeBSD but they are FreeBSD and nothing else. You can uninstall those packages and you wind up with FreeBSD--the complete operating system.
 
A

Afflospark

Guest


As you are a system admin, I assume you are well aware of the what firewalls do in a system and best available firewall on market (if you don't follow this article https://www.experthoot.com/top-5-free-firewall-tools/ )
FreeBSD provides you options to choose from, they provide three different firewalls so if you are migrating from another system and you already know about any of them. Then you can directly use that firewall smoothly. You are still free to remove any of these packages and install a new one of your choice.
 

ctaranotte

Active Member

Reaction score: 21
Messages: 109

From Wikipedia:

ipfirewall or ipfw is a FreeBSD IP, stateful firewall[1], packet filter and traffic accounting facility. Its ruleset logic is similar to many other packet filters except IPFilter. ipfw is authored and maintained by FreeBSD volunteer staff members. Its syntax enables use of sophisticated filtering capabilities and thus enables users to satisfy advanced requirements. It can either be used as a loadable kernel module or incorporated into the kernel; use as a loadable kernel module where possible is highly recommended[citation needed]. ipfw was the built-in firewall of Mac OS X[2][3] until Mac OS X 10.7 Lion in 2011 when it was replaced with the OpenBSD project's PF. Like FreeBSD, ipfw is open source. It is used in many FreeBSD-based firewall products, including m0n0wall and FreeNAS. A port of ipfw and the dummynet traffic shaper is available for Linux, OpenWrt and Microsoft Windows.[4] wipfw is a Windows port of an old (2001) version of ipfw.[5]
PF was originally designed as replacement for Darren Reed's IPFilter, from which it derives much of its rule syntax. IPFilter was removed from OpenBSD's CVS tree on 30 May 2001 due to OpenBSD developers' concerns with its license.[1]

The initial version of PF was written by Daniel Hartmeier.[2] It appeared in OpenBSD 3.0, which was released on 1 December 2001.[3]

It was later extensively redesigned by Henning Brauer and Ryan McBride[4] with most of the code written by Henning Brauer. Henning Brauer is currently the main developer of PF.
IPFilter (commonly referred to as ipf) is an open-source software package that provides firewall services and network address translation (NAT) for many Unix-like operating systems. The author and software maintainer is Darren Reed. IPFilter supports both IPv4 and IPv6 protocols, and is a stateful firewall.

IPFilter is delivered with FreeBSD, NetBSD, Solaris 10 & 11 and illumos. It used to be a part of OpenBSD, but it was removed in May 2001 due to problems with its license,[1] after negotiations between Theo de Raadt and Reed broke down. It was subsequently replaced in OpenBSD by PF, which was developed by OpenBSD's own developers. DragonFly BSD removed its support for IPFilter in May 2011.
My two cents:

I am using IPFW on FreeBSD because it has been designed and developed for FreeBSD (hence speed, granularity...) but the downside is that you cannot have both traffic shaping (dummynet) and statefulness.

I am also using PF on OpenBSD. PF is no longer developed/ported on FreeBSD since 2013, see this thread. The FreeBSD version is the one shipped with OpenBSD 4.6 (the stable version is now 6.4). In addition, AltQ has been dropped by the OpenBSD project in favor of a new queue scheme.

I don´t know IPFILTER but my feeling is that it is not as used as IPFW and it is no longer a priority for the devs.
 
Top