# FreeBSD vs OpenBSD PF



## maidenush (Mar 17, 2010)

Is there any difference between FreeBSD *PF *and OpenBSD *PF *firewall?

 Thank you,
 paul


----------



## vermaden (Mar 17, 2010)

FreeBSD 8.0 uses PF from OpenBSD 4.1, PF in OpenBSD 4.6 (or upcomming 4.7) is little different/newer.

There is also FreeBSD project to update PF in FreeBSD to that one from OpenBSD 4.5.


----------



## SirDice (Mar 18, 2010)

Besides the version differences there's no difference.


----------



## maidenush (Mar 18, 2010)

Thank you.


----------



## Oko (Mar 19, 2010)

SirDice said:
			
		

> Besides the version differences there's no difference.



Buuu hahahaha. You are kidding right?

http://marc.info/?l=openbsd-misc&m=126887242119532&w=2


----------



## razrx (Mar 19, 2010)

Oko said:
			
		

> Buuu hahahaha. You are kidding right?
> 
> http://marc.info/?l=openbsd-misc&m=126887242119532&w=2



That's a discussion on relayd, not pf itself.
The relayd FreeBSD port is indeed pretty outdated.


----------



## Oko (Mar 19, 2010)

razrx said:
			
		

> That's a discussion on relayd, not pf itself.
> The relayd FreeBSD port is indeed pretty outdated.


PF had a MAJOR overhaul between OpenBSD 4.5 and OpenBSD 4.6 versions which is only now 
fully production tested for OpenBSD 4.7 release.

FreeBSD 9.0 to be released next year will get PF from OpenBSD 4.5 instead of present 4.1 which is 3 years old and part of newly released FreeBSD 8.0. Do you know just how many bugs were found in three years let alone completely new functionality and *syntax* for OpenBSD 4.6. 

On the top of it PF *has never been* completely implemented in FreeBSD due to the *significant* difference in network stack between FreeBSD and OpenBSD. The same
is true for NetBSD to a lesser extend due to the fact that OpenBSD originated from NetBSD. 
Why do you think PF has never been ported to Linux. Let me guess. Because Linux IP tables which are originally based on IPFW of FreeBSD are superior. 

That is the real ugly truth about PF implementation on other platforms than OpenBSD.

Similar things are true for OpenSSH.

But look at the bright side. Flash 10 works on FreeBSD better than on Linux while it even doesn't work on OpenBSD


----------



## phoenix (Mar 19, 2010)

Oko said:
			
		

> Why do you think PF has never been ported to Linux. Let me guess. Because Linux IP tables which are originally based on IPFW of FreeBSD are superior.



ipfwadm was based on IPFW.  ipchains was a rewrite with no relation to IPFW.  And iptables was another rewrite with even less relation to IPFW.  However, there's now a Linux port of IPFW and dummynet, so things aren't all bad for Linux firewalls now.  

PF isn't on Linux probably because no one wants to taint their minds trying to figure out Linux networking-of-the-week subsystems.    Nor do they want to twist the beautiful PF code to make it work on Linux.  

Just because it's not there doesn't mean PF is horribly hard to port.


----------



## Anonymous (Mar 20, 2010)

Oko said:
			
		

> PF had a MAJOR overhaul between OpenBSD 4.5 and OpenBSD 4.6 versions
> Why do you think PF has never been ported to Linux. Let me guess. Because Linux IP tables which are originally based on IPFW of FreeBSD are superior.


Many Linux servers survived without PF and it is nothing unusual that Linux users don't like BSD (special OpenBSD) users...


----------



## oliverh (Mar 20, 2010)

lumiwa said:
			
		

> Many Linux servers survived without PF and it is nothing unusual that Linux users don't like BSD (special OpenBSD) users...



Well, there are even some Window and MacOS X servers surviving in the wild


----------



## Oko (Mar 20, 2010)

lumiwa said:
			
		

> Many Linux servers survived without PF


and even greater number of Windows servers



			
				lumiwa said:
			
		

> and it is nothing unusual that Linux users don't like BSD (special OpenBSD) users...


In my experience most Linux users I met actually have never heard for BSD. How can you hate something that you have never heard of? The one like the Oliver who already answered your post and who is using Slackware since 1993 tent to use the best tool for the job. Unless you have tens of thousands dollars to run your network on proprietary hardware and software you best bet is OpenBSD. Obviously nobody is going to use OpenBSD for HPC, to run big Database or to do Flash development.


----------



## Anonymous (Mar 20, 2010)

Oko said:
			
		

> and even greater number of Windows servers
> 
> 
> In my experience most Linux users I met actually have never heard for BSD. How can you .



They know and they know very good about what Theo de Raadt talked about Linux for example. And your post about Linux (as I understood) was also cynic. Everybody has a freedom to choose OS whatever it is and think that is the best.


----------



## oliverh (Mar 20, 2010)

>They know and they know very good about what Theo de Raadt talked about Linux for example.

Vice versa I remember Linus outbursts in terms of the FreeBSD devs (idiots), Gnome devs (Nazis) et al. Those accusations don't lead anywhere. Furthermore it seems you're talking about some Linux users, I think we're talking about professional Linux users. Most of the latter do know OpenBSD, they do know the benefits of using it and some of them even don't like de Raadt ... but hey, they're professionals! OpenBSD is a wide-spread firewall appliance even among Linux admins, due to the fact that most server landscapes are heterogeneous (less possible points of attack, the best tool for the current job etc. pp.).


----------



## DutchDaemon (Mar 20, 2010)

The OP was last seen surfing near St Barth (without drifting off!), so I'm closing this one.


----------

