what firewall to use ? outdated/misguided/whatever documentation ?

Tue Feb 12 08:53:40 PST 2019

Thanks for your reply Sepherosa !

"Well, I don't know how you read the ipfw2 logs ..."

I'm really new here (meaning the nix community overral). I surfed the
tree on GIT web and after some time located the source code for all
the firewall options available to look for versions/activity and the
like; ie: to grab some sense of the development pace. The
versions/time/dates I quoted were mainly for the comments on top of
the relevant files.

I'm just trying to understand what to use and what not to use and the
documentation while very helpful seemed a bit confusing on what
direction are the firewall options eventually going. Thus I seeked
advice.

I understand OpenBSD relies on PF (which created from scratch) while
FreeBSD moved from IPFW to IPF (which also created from scratch) ...
am I right ?

On 2/12/19, Sepherosa Ziehau <sepherosa at gmail.com> wrote:
> Well, I don't know how you read the ipfw2 logs, the latest effective
> change is at:
> https://gitweb.dragonflybsd.org/dragonfly.git/commit/bd3c67c0d566d63cb66697206eb49208a9e0f7b9
>
> That's "Tue, 16 Jan 2018 05:09:49 +0000".
>
> And I am still working on it, though limited by my spare time.
>
> Thanks,
> sephe
>
> On Tue, Feb 12, 2019 at 10:44 AM Nacho Lariguet <lariguet at gmail.com> wrote:
>>
>> While researching which firewall to use I came across what may seem
>> outdated/misguided/whatever documentation; please, correct me when
>> wrong (probably the whole story) and advice (if at all) possible:
>>
>> Quoting from "Firewall options in DragonFlyBSD" @
>> https://www.dragonflybsd.org/docs/handbook/Security/#index8h3
>>
>>  ... my notes
>>
>> "DragonFlyBSD inherited the IPFW firewall (versions 1 and 2) when it
>> forked from FreeBSD."
>>
>> "Pretty soon after though, we imported the new pf packet filter that
>> the OpenBSD developers created from scratch."
>> "It is a cleaner code base and is now the recommended solution for
>> firewalling DragonFly."
>> "Keep in mind that the PF version in DragonFly is not in sync with
>> OpenBSD's PF code."
>> "We have not yet incorporated the improvements made in PF over the
>> last few years, but we have some improvements of our own."
>> "A copy of the OpenBSD PF user's guide corresponding to the version of
>> PF in DragonFly can be downloaded as TXT or PDF."
>>
>>  ... so: DragonFlyBSD <- openBSD PF
>>  ... so: DragonFlyBSD current version is 4.5 released 2009-10-15 as
>> stated in TXT @
>> https://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq45.txt
>>
>>  ... but: openBSD PF current version is 5.3 released 2013-10-31 @
>> https://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq53.txt (last FAQ
>> listed) ?
>>  ...  or: openBSD PF current version is 6.4 @
>> https://www.openbsd.org/faq/pf/index.html (no version stated here) ?
>>
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/pf
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/pf
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/pf/pf.c
>>
>>  ... but PF labeled COPYRIGHT 2002~2008 on /sys/net/pf.c
>>  ... but PF labeled COPYRIGHT 2010~2014 on /sys/net/pfvar.c
>>
>>  ... quoting: "... over the last few years ..."
>>  ... how many years are we talking ? 2009~2019 ? 10 years (or-so) behind
>> ?
>>  ... really not thinking new features; just security vulnerabilities
>>
>> "IPFW is still and will remain supported for the foreseeable future;
>> it has some features not yet available in PF."
>>
>>  ... so it is on life-support until ... PF eventually synched ?
>>
>> "If you're interested in IPFW, read ipfw(4) and ipfw(8)."
>>
>>  ... OK. I am. Let's see the alternative:
>>
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw/ip_fw2.c
>>
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/blob/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw/ipfw2.c
>>
>>  ... so /sys/net/ipfw/ip_fw2.c is 1.6.2.12 2003-04-08 ?
>>  ... so /sbin/ipfw/ipfw2 is 1.4.2.13 2003-05-27 ?
>>
>>  ... found (on 2015-03-12): Rename all elements of the port to ipfw3
>> to reduce confusion ... ie: ipfw2 -> ipfw3
>>
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/6a03354eaf5595cb09622704ea7d2ef2794ccffb
>>
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw3
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw3
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw3/ip_fw3.c
>>
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw3
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw3
>>  ...
>> https://gitweb.dragonflybsd.org/dragonfly.git/blob/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw3/ipfw3.c
>>
>>  ... found: IPFW3 labeled COPYRIGHT 2014~2018 both on
>> /sys/net/ipfw3/ip_fw3.c and /sbin/ipfw3/ipfw3.c
>>
>>  ... so: IPFW2 (from freeBSD) imported to DragonFlyBSD keeping
>> (parallel/separate) development until a point into which was renamed
>> IPFW3 ... right ?
>>
>>  ... question: why is it (now obsolete) IPFW2 still on the tree ?
>>                what case-scenarios (15-or-so-years-old code) still
>> covers being 2019 ?
>>
>>  ... question: documentation states IPFW (formerly IPFW2 currently
>> IPFW3) is somewhat on life-support until eventually synchronizing
>> openBSD PF current
>>                but source activity seems to tell quite the opposite:
>> that PF is stalled/abandoned and IPFW3 development keep going on
>>                am I right ?
>>
>>  ... question: what firewall should be actually using on DragonFlyBSD ?
>>
>>                - outdated (what seemed many-years behind) PF
>> advertised for its correctness/clean-code/whatever and recommended
>> solution by the documentation ?
>>                - IPFW3
>> (rewritten-from-scratch/SMP-friendly/improved/etc) although advised
>> not to by the documentation ?
>>                - forget about using a firewall in DragonFlyBSD and use
>> something else elsewhere ?
>>
>>  ... am I missing something ?
>>
>>  ... do I have all the facts totally wrong ?
>
>
>
> --
> Tomorrow Will Never Die
>

-- 
nacho Lariguet
lariguet at gmail.com