what firewall to use ? outdated/misguided/whatever documentation ?

Nacho Lariguet lariguet at gmail.com
Mon Feb 11 18:44:28 PST 2019


While researching which firewall to use I came across what may seem
outdated/misguided/whatever documentation; please, correct me when
wrong (probably the whole story) and advice (if at all) possible:

Quoting from "Firewall options in DragonFlyBSD" @
https://www.dragonflybsd.org/docs/handbook/Security/#index8h3

 ... my notes

"DragonFlyBSD inherited the IPFW firewall (versions 1 and 2) when it
forked from FreeBSD."

"Pretty soon after though, we imported the new pf packet filter that
the OpenBSD developers created from scratch."
"It is a cleaner code base and is now the recommended solution for
firewalling DragonFly."
"Keep in mind that the PF version in DragonFly is not in sync with
OpenBSD's PF code."
"We have not yet incorporated the improvements made in PF over the
last few years, but we have some improvements of our own."
"A copy of the OpenBSD PF user's guide corresponding to the version of
PF in DragonFly can be downloaded as TXT or PDF."

 ... so: DragonFlyBSD <- openBSD PF
 ... so: DragonFlyBSD current version is 4.5 released 2009-10-15 as
stated in TXT @
https://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq45.txt

 ... but: openBSD PF current version is 5.3 released 2013-10-31 @
https://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq53.txt (last FAQ
listed) ?
 ...  or: openBSD PF current version is 6.4 @
https://www.openbsd.org/faq/pf/index.html (no version stated here) ?

 ... https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/pf
 ... https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/pf
 ... https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/pf/pf.c

 ... but PF labeled COPYRIGHT 2002~2008 on /sys/net/pf.c
 ... but PF labeled COPYRIGHT 2010~2014 on /sys/net/pfvar.c

 ... quoting: "... over the last few years ..."
 ... how many years are we talking ? 2009~2019 ? 10 years (or-so) behind ?
 ... really not thinking new features; just security vulnerabilities

"IPFW is still and will remain supported for the foreseeable future;
it has some features not yet available in PF."

 ... so it is on life-support until ... PF eventually synched ?

"If you're interested in IPFW, read ipfw(4) and ipfw(8)."

 ... OK. I am. Let's see the alternative:

 ... https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw
 ... https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw
 ... https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw/ip_fw2.c

 ... https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw
 ... https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw
 ... https://gitweb.dragonflybsd.org/dragonfly.git/blob/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw/ipfw2.c

 ... so /sys/net/ipfw/ip_fw2.c is 1.6.2.12 2003-04-08 ?
 ... so /sbin/ipfw/ipfw2 is 1.4.2.13 2003-05-27 ?

 ... found (on 2015-03-12): Rename all elements of the port to ipfw3
to reduce confusion ... ie: ipfw2 -> ipfw3

 ... https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/6a03354eaf5595cb09622704ea7d2ef2794ccffb

 ... https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw3
 ... https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw3
 ... https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw3/ip_fw3.c

 ... https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw3
 ... https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw3
 ... https://gitweb.dragonflybsd.org/dragonfly.git/blob/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw3/ipfw3.c

 ... found: IPFW3 labeled COPYRIGHT 2014~2018 both on
/sys/net/ipfw3/ip_fw3.c and /sbin/ipfw3/ipfw3.c

 ... so: IPFW2 (from freeBSD) imported to DragonFlyBSD keeping
(parallel/separate) development until a point into which was renamed
IPFW3 ... right ?

 ... question: why is it (now obsolete) IPFW2 still on the tree ?
               what case-scenarios (15-or-so-years-old code) still
covers being 2019 ?

 ... question: documentation states IPFW (formerly IPFW2 currently
IPFW3) is somewhat on life-support until eventually synchronizing
openBSD PF current
               but source activity seems to tell quite the opposite:
that PF is stalled/abandoned and IPFW3 development keep going on
               am I right ?

 ... question: what firewall should be actually using on DragonFlyBSD ?

               - outdated (what seemed many-years behind) PF
advertised for its correctness/clean-code/whatever and recommended
solution by the documentation ?
               - IPFW3
(rewritten-from-scratch/SMP-friendly/improved/etc) although advised
not to by the documentation ?
               - forget about using a firewall in DragonFlyBSD and use
something else elsewhere ?

 ... am I missing something ?

 ... do I have all the facts totally wrong ?


More information about the Users mailing list