Using OpenBSD guest as PF firewall
Thomas Laus
lausts at acm.org
Thu Nov 5 12:53:08 UTC 2020
On 11/4/20 4:40 PM, Mateusz Piotrowski wrote:
>
> Just for the record, the pf version currently available in FreeBSD is
> not just an old OpenBSD pf. See the note in the PF chapter in the
> handbook (https://www.freebsd.org/doc/handbook/firewalls-pf.html):
>
> "Warning:
>
> When reading the PF FAQ, keep in mind that FreeBSD's version of PF has
> diverged substantially from the upstream OpenBSD version over the years.
> Not all features work the same way on FreeBSD as they do in OpenBSD and
> vice versa."
>
OpenBSD has all it's PF functionality built as part of their standard
kernel including traffic shaping queues. Their rule syntax has also
been simplified over the version in FreeBSD. I can write a 'pass in'
for a port, assign it to a queue, and redirect the output to another
port all in one statement. The version in FreeBSD is a little more
complicated. FreeBSD's version also requires recompiling the kernel
source to activate the queues. Running an OpenBSD firewall front end to
a FreeBSD bhyve host has a small overhead of less than 1G of disk and 1G
of RAM on a server with 16G of RAM and 1T of disk. OpenBSD uses
'syspatch' for binary upgrades. I would have to recompile the kernel
source each time on a FreeBSD host to have bandwidth shaping queues.
Tom
--
Public Keys:
PGP KeyID = 0x5F22FDC1
GnuPG KeyID = 0x620836CF
More information about the freebsd-virtualization
mailing list