# Opinions wanted on PF implementation



## stratacast1 (Feb 8, 2018)

I'm posting this in off-topic because it really isn't a "help" question, just what y'all think for choice of PF firewall implementation. My apologies if this is the wrong place.

I just bought an ALIX APU2, and when my SSD comes in, I want to make it into my edge router/firewall for my house. Because of the way my house is unfortunately wired, my network security sucks for my home and server. So I'll be doing some VLANing. I'm looking at

1) OpenBSD to do the job (barely touched the OS so it'll be a learning experiment)
2) FreeBSD and using its PF
3) OPNSense or pfSense to take the easy way out and not use CLI much

Have any of you tackled this task before? What are your opinions and what did you end up doing? Do you regret your choice? My thought is to give OpenBSD a go as it's new to me and a wicked contender for something that will very heavily need the best of security


----------



## rigoletto@ (Feb 8, 2018)

If you do not have a lot of understanding about routing/security and won't learn about that (now), OPNSense/pfSense would be your best bet.

If you want to cover "everything" possible, you should go beyond firewall and add Suricata/Snort and other stuff what are already present in OPNSense/pfSense.


----------



## SirDice (Feb 9, 2018)

stratacast1 said:


> Have any of you tackled this task before?


Yes, many, many years ago I built my first firewall from spare PC parts. It has seen many hardware and OS upgrades and reinstalls since then.


> What are your opinions and what did you end up doing?


Pretty much the same options as yours, chose FreeBSD because my other machines were also running FreeBSD. That made it easier to maintain. I could build world on a reasonably fast machine and install it on the limited CPU hardware of the firewall. 


> Do you regret your choice?


Not a single moment.


----------



## Deleted member 30996 (Feb 9, 2018)

stratacast1 said:


> 1) OpenBSD to do the job (barely touched the OS so it'll be a learning experiment)
> 2) FreeBSD and using its PF
> 3) OPNSense or pfSense to take the easy way out and not use CLI much
> 
> Have any of you tackled this task before? What are your opinions and what did you end up doing? Do you regret your choice? My thought is to give OpenBSD a go as it's new to me and a wicked contender for something that will very heavily need the best of security



1. From what I'm told, the OpenBSD version of pf is newer and the FreeBSD version is "obsolete". I have FreeBSD and OpenBSD machines and all run pf and the same ruleset, with one minor syntax adjustment for OpenBSD.

2. pf is what I've always used on BSD. am familiar with the syntax, have a standard ruleset I save to use each run and you couldn't make me switch. Though I do check all important files by eye periodically and keep close watch on my machines, it is set-and-forget as far as I'm concerned.

3. I ran a Dell pfSense tower firewall/router for about 2 years and liked it a lot, but it was an electricity hog, and I moved to cable. Once you got the hang of the web interface and the basics it was easy to use and you could do a lot of things like country blocks. I've recently thought about re-purposing one of my laptops as a pfSense box, or doing something with OpenBSD or FreeBSD and ditching my router.


----------



## stratacast1 (Feb 9, 2018)

lebarondemerde said:


> If you do not have a lot of understanding about routing/security and won't learn about that (now)



Good thing I have a 4-year background in networking and cyber security  just not using a BSD to do it (barre pfSense)

I was considering doing something fun like brushing up on my Bro code...but that may be pushing it, Snort may be well enough, considering it's a home environment.



SirDice said:


> I could build world on a reasonably fast machine and install it on the limited CPU hardware of the firewall.



I also like the idea of doing vanilla FreeBSD because I certainly have more familiarity with it and trust it, and already have 2 boxen running it in my house.



Trihexagonal said:


> do a lot of things like country blocks



Really??? Dude. I almost want to do pfSense for that alone, unless it is easy to implement on OpenBSD. Is that behind the paywall or a free feature? I used pfSense in a couple of my school network security projects and loved it. One thing is for certain, and that is that I could probably set up a pfSense box in a day or less with minimal learning. OpenBSD will take time because I hardly know it, and I'm going to have to get really SMRT with routing and fw rules using what OpenBSD has (or FreeBSD if I opt for that) for CLI tools. But I like the simplicity of knowing I just have to protect ssh for login and not a web interface. Either way, my SSD comes in today and I'll get some good time to mess with it tonight and this weekend!


----------



## rigoletto@ (Feb 9, 2018)

Country block is actually quite easy to implement using PF. 

You would just need  something for cron like:
`curl -s http://www.ipdeny.com/ipblocks/data/countries/{cn,us,tr,ru,tw,ro,in,it,hu}.zone \
> /usr/local/etc/blocked/geoblock`

Then something like this in /etc/pf.conf:

```
...
table <blockperm> counters file "/usr/local/etc/blocked/geoblock"
...
block in quick from <blockperm>
```


----------



## Deleted member 30996 (Feb 9, 2018)

stratacast1 said:


> Really??? Dude. I almost want to do pfSense for that alone, unless it is easy to implement on OpenBSD. Is that behind the paywall or a free feature? I used pfSense in a couple of my school network security projects and loved it. One thing is for certain, and that is that I could probably set up a pfSense box in a day or less with minimal learning. OpenBSD will take time because I hardly know it,...



First off, if you can run a FreeBSD box you can run an OpenBSD box. There is very little difference and only in the way a few things are done. I've outlined it in the Off-Topic section before last summer and will help you out if you need it.

pfSense had Country Block and several other plug-in, though that was the only one I used. There are sites which list every IP# range for a country. The People's Republic of Korea has 1 range, but I put it to heavy use and banned contact from what I considered trouble spots. I wasn't aware you could script pf to do it on its own, but my pf ruleset is draconian when it comes to blocking inbound traffic anyway.

I'm known and liked in certain of those countries now and why I don't specify them, or want to prevent myself from going there by default. It worked both ways when you blocked a country in pfSense.


----------

