what firewall to use ? outdated/misguided/whatever documentation ?

Sepherosa Ziehau sepherosa at gmail.com
Tue Feb 12 02:19:34 PST 2019 

Well, I don't know how you read the ipfw2 logs, the latest effective
change is at:
https://gitweb.dragonflybsd.org/dragonfly.git/commit/bd3c67c0d566d63cb66697206eb49208a9e0f7b9

That's "Tue, 16 Jan 2018 05:09:49 +0000".

And I am still working on it, though limited by my spare time.

Thanks,
sephe

On Tue, Feb 12, 2019 at 10:44 AM Nacho Lariguet <lariguet at gmail.com> wrote:
>
> While researching which firewall to use I came across what may seem
> outdated/misguided/whatever documentation; please, correct me when
> wrong (probably the whole story) and advice (if at all) possible:
>
> Quoting from "Firewall options in DragonFlyBSD" @
> https://www.dragonflybsd.org/docs/handbook/Security/#index8h3
>
>  ... my notes
>
> "DragonFlyBSD inherited the IPFW firewall (versions 1 and 2) when it
> forked from FreeBSD."
>
> "Pretty soon after though, we imported the new pf packet filter that
> the OpenBSD developers created from scratch."
> "It is a cleaner code base and is now the recommended solution for
> firewalling DragonFly."
> "Keep in mind that the PF version in DragonFly is not in sync with
> OpenBSD's PF code."
> "We have not yet incorporated the improvements made in PF over the
> last few years, but we have some improvements of our own."
> "A copy of the OpenBSD PF user's guide corresponding to the version of
> PF in DragonFly can be downloaded as TXT or PDF."
>
>  ... so: DragonFlyBSD <- openBSD PF
>  ... so: DragonFlyBSD current version is 4.5 released 2009-10-15 as
> stated in TXT @
> https://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq45.txt
>
>  ... but: openBSD PF current version is 5.3 released 2013-10-31 @
> https://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq53.txt (last FAQ
> listed) ?
>  ...  or: openBSD PF current version is 6.4 @
> https://www.openbsd.org/faq/pf/index.html (no version stated here) ?
>
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/pf
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/pf
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/pf/pf.c
>
>  ... but PF labeled COPYRIGHT 2002~2008 on /sys/net/pf.c
>  ... but PF labeled COPYRIGHT 2010~2014 on /sys/net/pfvar.c
>
>  ... quoting: "... over the last few years ..."
>  ... how many years are we talking ? 2009~2019 ? 10 years (or-so) behind ?
>  ... really not thinking new features; just security vulnerabilities
>
> "IPFW is still and will remain supported for the foreseeable future;
> it has some features not yet available in PF."
>
>  ... so it is on life-support until ... PF eventually synched ?
>
> "If you're interested in IPFW, read ipfw(4) and ipfw(8)."
>
>  ... OK. I am. Let's see the alternative:
>
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw/ip_fw2.c
>
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/blob/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw/ipfw2.c
>
>  ... so /sys/net/ipfw/ip_fw2.c is 1.6.2.12 2003-04-08 ?
>  ... so /sbin/ipfw/ipfw2 is 1.4.2.13 2003-05-27 ?
>
>  ... found (on 2015-03-12): Rename all elements of the port to ipfw3
> to reduce confusion ... ie: ipfw2 -> ipfw3
>
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/6a03354eaf5595cb09622704ea7d2ef2794ccffb
>
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw3
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw3
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/733df9ef278607bdbfa284dccb19d893126a154d:/sys/net/ipfw3/ip_fw3.c
>
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/tree/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw3
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/history/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw3
>  ... https://gitweb.dragonflybsd.org/dragonfly.git/blob/733df9ef278607bdbfa284dccb19d893126a154d:/sbin/ipfw3/ipfw3.c
>
>  ... found: IPFW3 labeled COPYRIGHT 2014~2018 both on
> /sys/net/ipfw3/ip_fw3.c and /sbin/ipfw3/ipfw3.c
>
>  ... so: IPFW2 (from freeBSD) imported to DragonFlyBSD keeping
> (parallel/separate) development until a point into which was renamed
> IPFW3 ... right ?
>
>  ... question: why is it (now obsolete) IPFW2 still on the tree ?
>                what case-scenarios (15-or-so-years-old code) still
> covers being 2019 ?
>
>  ... question: documentation states IPFW (formerly IPFW2 currently
> IPFW3) is somewhat on life-support until eventually synchronizing
> openBSD PF current
>                but source activity seems to tell quite the opposite:
> that PF is stalled/abandoned and IPFW3 development keep going on
>                am I right ?
>
>  ... question: what firewall should be actually using on DragonFlyBSD ?
>
>                - outdated (what seemed many-years behind) PF
> advertised for its correctness/clean-code/whatever and recommended
> solution by the documentation ?
>                - IPFW3
> (rewritten-from-scratch/SMP-friendly/improved/etc) although advised
> not to by the documentation ?
>                - forget about using a firewall in DragonFlyBSD and use
> something else elsewhere ?
>
>  ... am I missing something ?
>
>  ... do I have all the facts totally wrong ?



-- 
Tomorrow Will Never Die

More information about the Users mailing list