[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Releasability of the kFreeBSD ports

On 08/15/2010 11:04 PM, The Anarcat wrote:
On Wed, Aug 04, 2010 at 12:11:26PM -0400, Tuco wrote:
I intend to deploy Debian GNU/kFreeBSD as a backup / NAS server. I
think as a desktop it's still inmature but as a server it's very
usable and has wonderful capabilities in storage
area thanks to ZFS (for example http://www.ypass.net/solaris/zfsbackup/).

I also think it can be a good firewall with PF. It would be very
useful to me if there was a stable release with security support.
Running an unreleased system in production is a bit
impractical :-(
So this (firewall/router requirement) is what brought me to kFreeBSD in
the first place and I have to say that this is not without problems.

This is also what got me interrested.

We have some OpenBSD boxes doing some firewall/router stuff at work, they run with pf with pfsync/carp failover.

It works good for what we have it for, just is doing OpenBSD upgrades, etc. isn't like doing Debian upgrades.

It's kind of OK, but it's not the same. Our Linux servers are running Debian, so why not these firewalls ? It would make life easier
for us.

I also heared FreeBSD can handle more packets or has better driver support in comparison to OpenBSD, this is an old statement though. OpenBSD did a lot of work on there network performance so possible it is not true anymore.

So I also had a look at Debian GNU/kFreeBSD and while I did notice the problem with the networking tools only working with a version 8 kernel I also noticed it's a known problem and people seem to be working on it. And the default installed kernel seems to be 8.1 now too, so I didn't want to complain about it anymore then necessary.

I do however would like to give you folks an idea of what people do with their OpenBSD firewall/routers, first the PF-firewalls.

First thing I noticed when I wanted to do something with PF in (k)FreeBSD is that the default kernel does not have pfsync and carp enabled in the kernel. So I would like to ask the kFreeBSD developers to enable it in the kernel-build.

I haven't checked why this isn't enabled in the default FreeBSD-kernel. Maybe the FreeBSD-developers don't consider it as stable ? I don't know, I do know people use it.

I also don't know what the 'upstream' of the code is, if the PF- and CARP-developers also have commit access to FreeBSD or the FreeBSD-developers just take snapshots of the code from OpenBSD. When I have time I will try and find out and see what version of FreeBSD is similair to OpenBSD's version.

When you need to 'debug' a complicated PF-setup, on OpenBSD (and I think on FreeBSD as well) you can do the following:

(pflog is in the default OpenBSD kernel, in (k)FreeBSD it's a module)
ifconfig pflog0 create (if needed at all)
ifconfig pflog0 up

setup a log rule in /etc/pf.conf and reload the PF-configuration.

And run tcpdump with the right options:

tcpdump -evnpti pflog0

It will show you exactly what is going, it will tell you packet A (first of the TCP-connection I would guess) is allowed at pf.conf line X. But packet B is denied at pf.conf line Y.

This is very useful, but the default tcpdump in kFreeBSD is the one from Debian GNU/Linux I believe which doesn't understand the pcap link-type PFLOG.

While you can do similair things with pflogd and a pcap-file, again it won't help you much because tcpdump can't read that pcap file either.

There is even some extra syntax for tcpdump:



PFSYNC is also a OpenBSD/PF-specific protocol for replicating the firewall-state between two or more OpenBSD firewalls for failover and in newer versions of loadbalancing. tcpdump in atleast OpenBSD also has some support for that.


CARP is the protocol which is also used by the ucarp-tool in Debian GNU/Linux., it provides virtual-IP-services for failover and even certain forms of loadbalancing (atleast in OpenBSD, I don't think ucarp on Linux/BSD can do that).

Other things people on OpenBSD firewalls/routers do is dynamic routing with OpenBGPd and OpenOSPFd. On OpenBSD they are in the default install and provide implementations for the BGP and OSPF network-routing-protocols.

I know there are older versions of OpenBGPd which were supported (it's in ports) on FreeBSD, but as far as I know it's missing TCP-MD5-support, because that should be added to the kernel first.

Concerning OpenOSPFd I thing it's in ports as wel, but I don't know how well that works. Again this is an older version.

So I won't expect Debian to port them, possible Quagga could be easier to deal with as FreeBSD has an up to date version of it in ports.


If you want me to create wishlist item Debian-bugs just let me know.

Or have any questions just let me know.

Hope this was helpful.

Have a nice weekend,

Reply to: