How to tell if IPF is running?

Erik Norgaard norgaard at locolomo.org
Wed Jan 18 08:26:47 PST 2006 

Gable Barber wrote:
> On 1/18/06, Peter <petermatulis at yahoo.ca> wrote:
>>
>> Switch over to pf.
>>
> Why do you suggest PF over IPF?
> 
> Hope I am not starting a war here.. but I am genuinely interested in the
> opinions.

I used IPF on FBSD until there was some bug in IPF for 5.x some version 
that forced me to switch after an upgrade. The bug has been fixed since 
but I have found no reason to go back.

There are two things I miss from IPF:

a) proper accounting: You can't count traffic correctly with stateful 
filtering on pf, pf will count when a rule is matched but once a state 
is established packets for that state are not matched and hence not counted.

b) an active and inactive ruleset: To load a new ruleset you'll have to 
flush everything. You can check syntax of rules before loading and pf 
loads all or nothing, so if there is a syntax error in your ruleset it 
won't be loaded. BUT: You may make syntactically correct changes that 
yet contain errors: Just say you wrote:

   block in all from 10.0.0.0/2

but meant

   block in all from 10.0.0.0/24

In IPF I always used:

   # ipf -s && sleep 60 && ipf -s

to give me 60 seconds to verify that I didn't lock myself out.

Now, that is compensated by in PF you can flush and reload the rules 
only, keeping existing states, so the connection you use for maintenance 
is not torn down.

The pros for PF are some features to prevent DDoS against servers behind 
your firewall, and advanced queuing features and CARP. The use of macros 
and tables makes it easier to maintain rules, but the lack of groups 
means you have to be more careful structuring your ruleset:

Rules are read top down _always_ in IPF I really liked groups, even 
though I always kept rules together. It just made it more explicit that 
rules went the same place. PF uses some clever skip ahead to gain the 
speed that proper use of groups give in IPF, and tests have shown that 
pf is faster than IPF in particular when rulesets grow large.

but you need to be careful writing rules:

IPF sample:

block in quick from 10.0.0.0/24 to any head 10
pass  in quick from 10.0.0.0/24 to 192.168.0.0/24 group 10

PF sample:

block in       from 10.0.0.0/24 to any
pass  in quick from 10.0.0.0/24 to 192.168.0.0/24
block in quick from 10.0.0.0/24 to any

The thing is that in the first line of the IPF sample, a default action 
is made for that group. packets matching the head rule but no rules in 
the group will take that action.

In PF you'll have to include that extra rule in the end to get the same 
behavior.

So, in short, ipf is really simple and comparatively easy to work with, 
the lack of macros means you generally have to write more but this also 
makes it more explicit what happens as packets traverse the ruleset.

pf has some really nice features in particular in more complex setups. 
The use of macros means that you can create compact rulesets that can 
easily be adopted to other systems or setups.

Use what you feel most comfortable with.

Cheers, Erik

More information about the freebsd-questions mailing list