Using OpenBSD guest as PF firewall

Thomas Laus lausts at acm.org
Thu Nov 5 12:53:08 UTC 2020


On 11/4/20 4:40 PM, Mateusz Piotrowski wrote:
> 
> Just for the record, the pf version currently available in FreeBSD is
> not just an old OpenBSD pf. See the note in the PF chapter in the
> handbook (https://www.freebsd.org/doc/handbook/firewalls-pf.html):
> 
> "Warning:
> 
> When reading the PF FAQ, keep in mind that FreeBSD's version of PF has
> diverged substantially from the upstream OpenBSD version over the years.
> Not all features work the same way on FreeBSD as they do in OpenBSD and
> vice versa."
>
OpenBSD has all it's PF functionality built as part of their standard
kernel including traffic shaping queues.  Their rule syntax has also
been simplified over the version in FreeBSD.  I can write a 'pass in'
for a port, assign it to a queue, and redirect the output to another
port all in one statement.  The version in FreeBSD is a little more
complicated.  FreeBSD's version also requires recompiling the kernel
source to activate the queues.  Running an OpenBSD firewall front end to
a FreeBSD bhyve host has a small overhead of less than 1G of disk and 1G
of RAM on a server with 16G of RAM and 1T of disk.  OpenBSD uses
'syspatch' for binary upgrades.  I would have to recompile the kernel
source each time on a FreeBSD host to have bandwidth shaping queues.

Tom
-- 
Public Keys:
PGP KeyID = 0x5F22FDC1
GnuPG KeyID = 0x620836CF


More information about the freebsd-virtualization mailing list