Re: Releasability of the kFreeBSD ports
On 08/15/2010 11:04 PM, The Anarcat wrote:
On Wed, Aug 04, 2010 at 12:11:26PM -0400, Tuco wrote:
I intend to deploy Debian GNU/kFreeBSD as a backup / NAS server. I
think as a desktop it's still inmature but as a server it's very
usable and has wonderful capabilities in storage
area thanks to ZFS (for example http://www.ypass.net/solaris/zfsbackup/).
I also think it can be a good firewall with PF. It would be very
useful to me if there was a stable release with security support.
Running an unreleased system in production is a bit
So this (firewall/router requirement) is what brought me to kFreeBSD in
the first place and I have to say that this is not without problems.
This is also what got me interrested.
We have some OpenBSD boxes doing some firewall/router stuff at work,
they run with pf with pfsync/carp failover.
It works good for what we have it for, just is doing OpenBSD upgrades,
etc. isn't like doing Debian upgrades.
It's kind of OK, but it's not the same. Our Linux servers are running
Debian, so why not these firewalls ? It would make life easier
I also heared FreeBSD can handle more packets or has better driver
support in comparison to OpenBSD, this is an old
statement though. OpenBSD did a lot of work on there network performance
so possible it is not true anymore.
So I also had a look at Debian GNU/kFreeBSD and while I did notice the
problem with the networking tools only working with a
version 8 kernel I also noticed it's a known problem and people seem to
be working on it. And the default installed kernel seems
to be 8.1 now too, so I didn't want to complain about it anymore then
I do however would like to give you folks an idea of what people do with
their OpenBSD firewall/routers, first the PF-firewalls.
First thing I noticed when I wanted to do something with PF in
(k)FreeBSD is that the default kernel does not have pfsync and carp
enabled in the kernel. So I would like to ask the kFreeBSD developers to
enable it in the kernel-build.
I haven't checked why this isn't enabled in the default FreeBSD-kernel.
Maybe the FreeBSD-developers don't consider it as stable ? I don't know,
I do know people use it.
I also don't know what the 'upstream' of the code is, if the PF- and
CARP-developers also have commit access to FreeBSD or the
FreeBSD-developers just take snapshots of the code from OpenBSD. When I
have time I will try and find out and see what version of FreeBSD is
similair to OpenBSD's version.
When you need to 'debug' a complicated PF-setup, on OpenBSD (and I think
on FreeBSD as well) you can do the following:
(pflog is in the default OpenBSD kernel, in (k)FreeBSD it's a module)
ifconfig pflog0 create (if needed at all)
ifconfig pflog0 up
setup a log rule in /etc/pf.conf and reload the PF-configuration.
And run tcpdump with the right options:
tcpdump -evnpti pflog0
It will show you exactly what is going, it will tell you packet A (first
of the TCP-connection I would guess) is allowed at pf.conf line X. But
packet B is denied at pf.conf line Y.
This is very useful, but the default tcpdump in kFreeBSD is the one from
Debian GNU/Linux I believe which doesn't understand the pcap link-type
While you can do similair things with pflogd and a pcap-file, again it
won't help you much because tcpdump can't read that pcap file either.
There is even some extra syntax for tcpdump:
PFSYNC is also a OpenBSD/PF-specific protocol for replicating the
firewall-state between two or more OpenBSD firewalls for failover and in
newer versions of loadbalancing. tcpdump in atleast OpenBSD also has
some support for that.
CARP is the protocol which is also used by the ucarp-tool in Debian
GNU/Linux., it provides virtual-IP-services for failover and even
certain forms of loadbalancing (atleast in OpenBSD, I don't think ucarp
on Linux/BSD can do that).
Other things people on OpenBSD firewalls/routers do is dynamic routing
with OpenBGPd and OpenOSPFd. On OpenBSD they are in the default install
and provide implementations for the BGP and OSPF network-routing-protocols.
I know there are older versions of OpenBGPd which were supported (it's
in ports) on FreeBSD, but as far as I know it's missing TCP-MD5-support,
because that should be added to the kernel first.
Concerning OpenOSPFd I thing it's in ports as wel, but I don't know how
well that works. Again this is an older version.
So I won't expect Debian to port them, possible Quagga could be easier
to deal with as FreeBSD has an up to date version of it in ports.
If you want me to create wishlist item Debian-bugs just let me know.
Or have any questions just let me know.
Hope this was helpful.
Have a nice weekend,