Thursday, December 2, 2010

Switching to OpenBSD from FreeBSD for the new pf syntax

There is a new syntax available for pf in OpenBSD 4.7 and 4.8 that is quite interesting. You can read a bit more about it here;

http://marc.info/?l=openbsd-misc&m=125181847818600

The item that has me the most interested is the new NAT featureset. They've changed it so when you do NAT in the firewall rules, it appears to change the address on the fly to the new IP.

This makes matching rules further down in the ruleset more interesting, and in my mind, clearer, because as you run through the ruleset, you're not going to be concerned with pass rules for both the WAN and LAN addresses - The LAN address will become the WAN address, so there really is just the one rule.


It looks like it will be a while before FreeBSD picks up the new syntax. Currently plans are to update FreeBSD-9.0 to OpenBSD 4.5's version of pf. If you want to play with it, you'll need OpenBSD for now.

Since I'm designing a pretty hefty dual redundant firewall from scratch, complete with ALTQ, pfsync, OpenVPN, load balance, fail over, and some monitoring tools, I'm firing up a OpenBSD 4.8 box now to check it out, and see if it's really as good as it seems.

BTW, here is a link to a conversion script that should help you connvert to the new format:

http://jim-code-rand.blogspot.com/2010/05/openbsd-47-release-pfconf-conversion.html


I'll report back as I make progress. Since I have 2 identical Xeon machines to act as a firewall, I may have a chance to do a small performance test between OpenBSD and FreeBSD. I'm not sure where the advantage will be. I have a lot of faith in FreeBSD, but I also know that ALTQ and pf is a port in FreeBSD, where in OpenBSD they are built in, and have a few more features.


Time will tell.

If anyone else has recently made the switch, I'd love to hear about it..

No comments:

Post a Comment