What's everyone's experience with modern PF in production? Also, not to start a holy war, but what people think about modern PF vs nftables? I've only ever used nftables (and only in fairly simple scenarios) but I've always been curious about the PF side of the world.
I manage a pf.conf with about 400 rules across a dozen VLANs, I find it intuitive and even enjoyable to work on. It feels kinda like editing source code - there are some host, network, and port declarations at the top, a section for NAT and egress, then a section for each VLAN that contains the pass in/pass out rules.
I tail the pflog0 interface in a tmux session so I can keep an eye on pass/block, and also keep a handy function in my .profile to make it easy to edit the ruleset and reload:
I haven't used Linux as a gateway in years, so I can only compare pf to iptables. The two biggest differences are the way the rules are applied and the logging.
pf rules work a little backwards compared to iptables. A packet traverses the entire ruleset and the last rule to match wins. You can short-circuit this with a "quick" directive. It takes a bit of getting used to coming from iptables.
The logging on pf doesn't integrate with syslog automatically like iptables does. You're expected to set up a logging system for your particular use case. There are several ways to do it, and for production you'd be doing it regardless, but for honelab setups it's an extra thing you need to worry about.
I prefer pf, but I don't recommend it to people new to firewalls.
Their BDFL thinks BC breaks are great “we’ll be in a better place” I remember him saying, and has blessed breaking pf multiple times by changing the rule syntax, whereas prior versions of this book are suddenly obsolete along with countless tutorials, forum posts, etc.
This is one thing M$ gets right, in business environments you don’t do that. I wouldn’t use pf for anything outside a home lab.
It's a great book, I used to have some edition of it and it helped me a lot professionally with setting up firewalls, load balancing, traffic shaping and more.
I also had a book on Designing FreeBSD rootkits that was very educational.
Unfortunately I've given away all my books for more minimalistic living where I am instead dependent on digital information. Not sure how to feel about it.
I almost did the same and still think about doing it! I also have an older edition of this book somewhere in a small stack of OpenBSD books I purchased when I was first learning the system. These days I never reference them. But they do make for a neat OpenBSD area on my bookshelf.
Per Dr. Marshall Kirk McKusick (as announced in one of the recent BSD conferences), No Starch Press will be publishing the third edition of the Design and Implementation of the FreeBSD Operating System book sometime later this year.
Chapter 1, config files don’t go in /etc. Well they do, but also /var. And also here and also there. It’s like linux you get a free treasure hunt built in when you need to update something. Some services get local_ attached even though all the services are local. Somehow NetBSD is able to avoid all of this. But do you want working drivers or not? End of chapter 1.
Actually FreeBSD is great and for a modern OS better than linux in all ways but ecosystem and even there it’s fine. But also the design while it makes sense in some way kind of sucks, it’s messy.
Yeah. My favorite are books that guide you through implementing complex systems projects from scratch, like Nora Sandler's "Writing a C compiler", or Sy Brand's "Building a Debugger". I wish they produced A LOT more of them.
The central point behind this type of books isn't so much to build an enterprise-grade production-ready thing, but rather to bridge the delta between zero and having a working thing of sufficiently large complexity, which inevitably exists for someone who had never been there before. Having that in mind, I think these books are very valuable.
I buy ebooks straight from publishers like Nostarch and Leanpub. (In fact, I have an older edition of this book). There are a few books that are sold directly by the authors too. All of them DRM-free.
I actively avoid publishers and sellers who don't respect me as a consumer/reader. People need to start demanding better deals, or else we'll end up with monopolies that won't think twice about deleting books in your custody that you purchased from them.
I wish I had more of them. I maintain a modest library made out of real paper and I'm so glad No Starch still has good quality paper and excellent binding. I have a few of the more recent print on demand O'Reilly books but they feel more like cheap print outs I could have done myself. Unfortunately they are just so expensive so I do have to be very selective.
I'd love something similarly scoped centered around nftables. Does anyone have a suggestion? I see No Starch has a Linux Firewall book, but it's from 2008 and is thus iptables-based.
What's everyone's experience with modern PF in production? Also, not to start a holy war, but what people think about modern PF vs nftables? I've only ever used nftables (and only in fairly simple scenarios) but I've always been curious about the PF side of the world.
I manage a pf.conf with about 400 rules across a dozen VLANs, I find it intuitive and even enjoyable to work on. It feels kinda like editing source code - there are some host, network, and port declarations at the top, a section for NAT and egress, then a section for each VLAN that contains the pass in/pass out rules.
I tail the pflog0 interface in a tmux session so I can keep an eye on pass/block, and also keep a handy function in my .profile to make it easy to edit the ruleset and reload:
This opens the file for editing, reloads the ruleset (which also validates it), then returns the rule count if successful.I haven't used Linux as a gateway in years, so I can only compare pf to iptables. The two biggest differences are the way the rules are applied and the logging.
pf rules work a little backwards compared to iptables. A packet traverses the entire ruleset and the last rule to match wins. You can short-circuit this with a "quick" directive. It takes a bit of getting used to coming from iptables.
The logging on pf doesn't integrate with syslog automatically like iptables does. You're expected to set up a logging system for your particular use case. There are several ways to do it, and for production you'd be doing it regardless, but for honelab setups it's an extra thing you need to worry about.
I prefer pf, but I don't recommend it to people new to firewalls.
Their BDFL thinks BC breaks are great “we’ll be in a better place” I remember him saying, and has blessed breaking pf multiple times by changing the rule syntax, whereas prior versions of this book are suddenly obsolete along with countless tutorials, forum posts, etc.
This is one thing M$ gets right, in business environments you don’t do that. I wouldn’t use pf for anything outside a home lab.
It's slower than nftables.
Not to ask anyone for free work but any write-up on this, I'd love to read.
https://toni.cunyat.net/2019/11/nftables-vs-pf-ipv4-filterin.... According to this article, it depends on usecase.
It's a great book, I used to have some edition of it and it helped me a lot professionally with setting up firewalls, load balancing, traffic shaping and more.
I also had a book on Designing FreeBSD rootkits that was very educational.
Unfortunately I've given away all my books for more minimalistic living where I am instead dependent on digital information. Not sure how to feel about it.
I almost did the same and still think about doing it! I also have an older edition of this book somewhere in a small stack of OpenBSD books I purchased when I was first learning the system. These days I never reference them. But they do make for a neat OpenBSD area on my bookshelf.
There are e-readers and DRM-free electronic libraries.
Lot of admiration for no starch - your books are great !
Per Dr. Marshall Kirk McKusick (as announced in one of the recent BSD conferences), No Starch Press will be publishing the third edition of the Design and Implementation of the FreeBSD Operating System book sometime later this year.
I was just wondering about this the other day. I own both previous versions.
Chapter 1, config files don’t go in /etc. Well they do, but also /var. And also here and also there. It’s like linux you get a free treasure hunt built in when you need to update something. Some services get local_ attached even though all the services are local. Somehow NetBSD is able to avoid all of this. But do you want working drivers or not? End of chapter 1.
Actually FreeBSD is great and for a modern OS better than linux in all ways but ecosystem and even there it’s fine. But also the design while it makes sense in some way kind of sucks, it’s messy.
Yeah. My favorite are books that guide you through implementing complex systems projects from scratch, like Nora Sandler's "Writing a C compiler", or Sy Brand's "Building a Debugger". I wish they produced A LOT more of them.
Those are some new and very very shallow books. There better one's from 90" and 80".
The central point behind this type of books isn't so much to build an enterprise-grade production-ready thing, but rather to bridge the delta between zero and having a working thing of sufficiently large complexity, which inevitably exists for someone who had never been there before. Having that in mind, I think these books are very valuable.
much like swimming, it helps to start in the shallow end before you tread into deeper waters.
care to name a few such good oldies?
https://www.amazon.com/Compiler-Construction-Monographs-Comp...
This one is my favorite.
I buy ebooks straight from publishers like Nostarch and Leanpub. (In fact, I have an older edition of this book). There are a few books that are sold directly by the authors too. All of them DRM-free.
I actively avoid publishers and sellers who don't respect me as a consumer/reader. People need to start demanding better deals, or else we'll end up with monopolies that won't think twice about deleting books in your custody that you purchased from them.
Got any notable suggestions from Leanpub?
Yarr, that do be a problem matie.
In all seriousness, how has DRM not yet been recognized as the failure it is?
I wish I had more of them. I maintain a modest library made out of real paper and I'm so glad No Starch still has good quality paper and excellent binding. I have a few of the more recent print on demand O'Reilly books but they feel more like cheap print outs I could have done myself. Unfortunately they are just so expensive so I do have to be very selective.
PF = Packet Filter
Was thinking I had missed an entire edition of Pathfinder for a moment upon reading the title
Your comment made me one day younger.
I'd love something similarly scoped centered around nftables. Does anyone have a suggestion? I see No Starch has a Linux Firewall book, but it's from 2008 and is thus iptables-based.
Nftables has a really good doc site https://wiki.nftables.org/wiki-nftables/index.php/Main_Page. I wouldn't rely on any book