logoalt Hacker News

yuvadamyesterday at 6:50 PM9 repliesview on HN

What's wrong with Linux for firewalls? Either openwrt, or any distro really.

Why would any BSD perform better?

(edit: genuinely curious why BSDs are such popular firewalls)

Replies

INTPenisyesterday at 10:58 PM

I've used both and the main advantage is PF/ipfw syntax.

But now with nftables I actually am going back to RHEL on Firewalls. I want something ultra-stable and long lived.

show 1 reply
wasting_timeyesterday at 8:06 PM

  Compared to working with iptables, PF is like this haiku:

  A breath of fresh air,
  floating on white rose petals,
  eating strawberries.

  Now I'm getting carried away:

  Hartmeier codes now,
  Henning knows not why it fails,
  fails only for n00b.

  Tables load my lists,
  tarpit for the asshole spammer,
  death to his mail store.

  CARP due to Cisco,
  redundant blessed packets,
  licensed free for me.
(From https://marc.info/?l=openbsd-pf&m=108507584013046&w=2 )

Nftables has improved the situation on Linux somewhat, but PF is incredibly intuitive and powerful. A league of its own when it comes to firewalling.

show 2 replies
2trill2spillyesterday at 6:53 PM

I assume in this case they already had a bunch of firewall rules for PF and switching from OpenBSD -> FreeBSD is a much easier lift then going to linux because both the BSDs are using PF, although IIRC there are some differences between both implementations.

mrpippyyesterday at 9:31 PM

One thing I like about using OpenBSD for my home router is almost all the necessary daemons being developed and included with the OS. DHCPv4 server/client, DHCPv6 client, IPv6 RA server, NTP, and of course SSH are all impeccably documented, use consistent config file formats/command-line arg styles, and are privilege-separated with pledge.

nesarkvechnepyesterday at 7:08 PM

What's wrong with using any BSD? Can't people use whatever suits their needs?

show 1 reply
guerbyyesterday at 7:16 PM

We migrated to a linux nftables based firewall.

I never liked iptables, but nftables is pretty nice to write and use.

And with one "flowtable" line added to your nftables.conf you can even in theory have faster routing when conntrack is active

https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1...

mikey_pyesterday at 7:27 PM

Because of PF or Packet Filter (the PF in pfSense FWIW): https://en.wikipedia.org/wiki/PF_(firewall)

electric_mayhemyesterday at 6:55 PM

PF is really nice. (Source: me. Cissp and a couple decades of professional experience with open source and proprietary firewalls).

And if they are already using it on openbsd, it’s almost certainly an easier lift to move from one BSD PF implementation to another versus migrating everything to Linux and iptables.

show 1 reply
rfmozyesterday at 7:11 PM

Let me extend the question to what’s wrong with NFTables on Linux? It’s a different way to manage Netfilter, out of IPTables