docs/167056: ERROR Handbook 9.0, firewall section, PF from OpenBSD 4.5

Joe Barbish fbsd8 at
Wed Apr 18 12:40:02 UTC 2012

>Number:         167056
>Category:       docs
>Synopsis:       ERROR Handbook 9.0, firewall section, PF from OpenBSD 4.5
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-doc
>State:          open
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 18 12:40:02 UTC 2012
>Originator:     Joe Barbish
>Release:        9.0
ERROR Handbook 9.0, firewall section, PF firewall from OpenBSD 4.5

I am the original author [Joe Barbish] of the whole security firewall section. 

Previous versions of the FreeBSD handbook had a detailed section on PF including rule examples matching the version of PF included with FreeBSD 9.0. But it was revised and updated by John Ferrell. What he did was to remove a very large section containing example rules. It’s obvious this person was un-supervised and has no knowledge of PF or what the real problem was.

This is what the problem was.
PF firewall is sourced from another project outside of Freebsd. PF is sourced from OpenBSD source. OpenBSD much like FreeBSD has its own firewall called PF. The version of PF matches the version of OpenBSD it comes from. 

The PF version running on Freebsd 9.0 matches the version included in Openbsd 4.5. 

The documentation on the Openbsd website for PF is for Openbsd 5.0 and it has warning saying "NOTE: NAT configuration was significantly different in earlier versions." This information is for OpenBSD 4.7. has more info about how backdated the 9.0 Freebsd production version of PF is. 

The center of the problem is the FreeBSD handbook Security section of PF had links to the PF firewall documentation of the OpenBSD handbook. At OpenBSD version 4.7 their PF firewall had a major rewrite changing the rule syntax for how NAT rules are coded and how their FTP proxy rules were to be coded. The current OpenBSD version is 5.0 with 5.1 going to be released soon. The OpenBSD handbook PF NAT section got updated at version 4.7 with PF contents describing their new NAT rule syntax, so the links in the FreeBSD handbook for PF firewall no longer matched the out dated [4.5] version included in FreeBSD 9.0. 

John Ferrell’s solution to this was to delete all the verbiage and links to the OpenBSD PF section of the OpenBSD handbook including the sample rule set that was in the FreeBSD handbook PF section. This was a major error in judgment on his part.

All that was needed was an additional statement in the FreeBSD handbook security/PF section saying “FreeBSD 9.0 is running a outdated version of PF [4.5], at PF version [4.7] the syntax of the NAT and ftp-proxy rule changed. The reader should keep in mind the below links reference the OpenBSD 5.0 version of PF, but the sample PF rules shown below do match the version of PF [4.5] included with FreeBSD 9.0. Then add a comment to the NAT rule in the sample rules saying this is the syntax for NAT usage in versions earlier than version 4.7 and then have the new NAT rule with comment for version 4.7 and newer. Them when FreeBSD finally updates to the current version of OpenBSD PF ie:5.0 or 5.1 the links in the FreeBSD handbook would automatically become meaningful. 

I suggest the online FreeBSD handbook, have the security/PF section restored to its previous condition and the above changes made to it’s content and that this is done before Freebsd 8.3 is released.





More information about the freebsd-doc mailing list