does (can?) freebsd-pf 'support' OSX?

OpenMacNews freebsd-pf.20.openmacnews at spamgourmet.com
Wed Sep 22 01:35:48 PDT 2004 

Chris,

> And the last time I broached firewalls with an Apple employee he scoffed at the idea that BSD needed more than the ipfw in old FreeBSD, seeing no point to ipf, pf, etc. and deeming the projects wastes of time.

my experience(s) with them on darwin-kernel, and elsewhere -- oh heck, everywhere! -- has been ... er ... less than rewarding ... as well.

i'd point you to the old, relevant threads, but they've changed the lists so that they're no longer searchable -- at least until the new-format lists are crawled.

cref: <http://lists.apple.com/faq/index.php?sid=2545&aktion=artikel&rubrik=002&id=26&lang=en>

>> if my goal is a decent firewall, i understand my options to be pf &
>> iptables.
>
> If you want stateful packet filtering,

i do

> and you actually intend to make sure the sequence numbers are examined rather than just pass packets from hosts which you've previously sent an ack,

my recent experience with iptables has exposed me to all sorts of attacks from my many apparent 'fiends' in China trying to pumch holes in this issue ...

> I gather you really have only pf and ipf to think on, and with pf apparently blowing past ipf, pf is apparently your man.  And there are questions lingering perhaps over the license in ipf, so ... pf.

clear.  it's what i thought. thx!

> OpenBSD offers pf native, and when you say "old macs" you need to make sure you're discussing macs with open firmware to get OpenBSD installed.

there are, apparently, some stories of success on OldWorld macs that have been CPU upgraded -- as mine has.  but, sketchy at best.

> I've not attempted a PowerPC FreeBSD install and I'm not sure if it's even possible.  When I last looked, I found no evidence of PowerPC installers for the OS.  It appeared x86-only.

well, ther *is* here ... but a little "dusty" it seems

>> soooooo, my QUESTION to y'all:
> There's not a binary you can drop in now to make pf run in Darwin.  You would need to port it, as the FreeBSD folk are doing here to get pf running on their OS of choice.

understood.

>> is is a forgone conclusion that pf is/must be built in to the kernel?
>> or can it be built as an extension to OSX?
>
> If you look, you'll see ipfw is actually implemented in Darwin as a .kext (Kernel Extension).  Thus, it's loadable and in theory replaceable.

yup.  got to this as well ...

>> fwiw, i've raised this issue on the Darwin kernel & developer lists a
>> number of times over the past months-n-years to no avail ...
>
> I'll see if I can find my exchange with Apple's current open source guru, it was depressing both from the standpoint of (lack of likelihood of) progress, and from the standpoint that the guy, whatever his good points, didn't seem to perceive that there was actually a difference between the firewall solutions.  New solutions aren't dreamed up because people like work, they're dreamed up because there's a need.  He thought all subsequent firewall projects were a waste of good coding time, I say 
this not to make a mockery of his position, but because he said as much.

their attitudes are "challenging" at best ... and i'm one of their biggest FANS!

which is why i've given up on them.  i do not believe that Apple can, or for that matter, should be depended on to move their box to the "cutting edge" of functionality, which is where i perceive pf to be, but rather to develop good mass-market boxes, and a good opensource core that we can build on if/when/how we need to.

>> bottom line?  how can i get pf running on OSX?
>
> porting pf, authpf, carp, etc. to Darwin would be well-received,

that's the feeling i've gotten ...

> but not trivial.

that too. :-S

> Also, the MacOS X GUI would have no idea how to handle it.

doesn't need to, IMHO.

fwbuilder2 (http://www.fwbuilder.com) meets all my GUI & back-end firewall needs for Win, Mac or *NIX on iptables, pf & ipfw.

> The best way to get it into a real distribution may be to work to mainstream pf in FreeBSD so it's picked up in the next code synch.

i'm honestly not certain what that entails, or how to go about it ... (yet)

> Authpf offers security you simply can't get from other solutions, opening ports only to your authenticated users' IP addresses.  If you want a dedicated firewall, then the failover solutions are looking interesting.  Frankly, my frustration with Darwin is leading me to a Soekris box . . . the question is merely when I'll throw up my hands with my current solution and do it.

thanks for your input!

> Take care,

Likewise,

Richard

More information about the freebsd-pf mailing list