alt Hacker NewsI've used both and the main advantage is PF/ipfw syntax.
But now with nftables I actually am going back to RHEL on Firewalls. I want something ultra-stable and long lived.
I've used both and the main advantage is PF/ipfw syntax.
But now with nftables I actually am going back to RHEL on Firewalls. I want something ultra-stable and long lived.
I've been using OpenBSD and PF for nearly 25 years (PF debuted December 2001). Over those years there have been syntax changes to pf.conf, but the most disruptive were early on, and I can't remember the last syntax change that effected my configs (mostly NAT, spamd, and connection rate limiting).
During that time the firewall tool du jour on Linux was ipchains, then iptables, and now nftables, and there have been at least some incompatible changes within the lifespan of each tool.
OpenBSD has an additional leg up in that incompatible changes between releases are concisely, clearly, and consistently documented, e.g. https://www.openbsd.org/faq/upgrade78.html The last incompatible pf.conf syntax change I could find was for 6.9, nearly 5 years ago, https://www.openbsd.org/faq/upgrade69.html