Re: Releasability of the kFreeBSD ports

To: debian-bsd@lists.debian.org
Subject: Re: Releasability of the kFreeBSD ports
From: Leen Besselink <leen@consolejunkie.net>
Date: Sat, 21 Aug 2010 02:39:23 +0200
Message-id: <4C6F203B.4030900@consolejunkie.net>
In-reply-to: <20100815210423.GU30078@anarcat.ath.cx>
References: <20100804003842.GA13951@thrall.0x539.de> <AANLkTinVjQSNcpRkr4A6Vc6GknKU9AJ7W=QDt=vd=UvH@mail.gmail.com> <20100815210423.GU30078@anarcat.ath.cx>

On 08/15/2010 11:04 PM, The Anarcat wrote:

On Wed, Aug 04, 2010 at 12:11:26PM -0400, Tuco wrote:

I intend to deploy Debian GNU/kFreeBSD as a backup / NAS server. I
think as a desktop it's still inmature but as a server it's very
usable and has wonderful capabilities in storage
area thanks to ZFS (for example http://www.ypass.net/solaris/zfsbackup/).

I also think it can be a good firewall with PF. It would be very
useful to me if there was a stable release with security support.
Running an unreleased system in production is a bit
impractical :-(

So this (firewall/router requirement) is what brought me to kFreeBSD in
the first place and I have to say that this is not without problems.


This is also what got me interrested.

We have some OpenBSD boxes doing some firewall/router stuff at work,they run with pf with pfsync/carp failover.

It works good for what we have it for, just is doing OpenBSD upgrades,etc. isn't like doing Debian upgrades.

It's kind of OK, but it's not the same. Our Linux servers are runningDebian, so why not these firewalls ? It would make life easier

for us.

I also heared FreeBSD can handle more packets or has better driversupport in comparison to OpenBSD, this is an oldstatement though. OpenBSD did a lot of work on there network performanceso possible it is not true anymore.

So I also had a look at Debian GNU/kFreeBSD and while I did notice theproblem with the networking tools only working with aversion 8 kernel I also noticed it's a known problem and people seem tobe working on it. And the default installed kernel seemsto be 8.1 now too, so I didn't want to complain about it anymore thennecessary.

I do however would like to give you folks an idea of what people do withtheir OpenBSD firewall/routers, first the PF-firewalls.

First thing I noticed when I wanted to do something with PF in(k)FreeBSD is that the default kernel does not have pfsync and carpenabled in the kernel. So I would like to ask the kFreeBSD developers toenable it in the kernel-build.

I haven't checked why this isn't enabled in the default FreeBSD-kernel.Maybe the FreeBSD-developers don't consider it as stable ? I don't know,I do know people use it.

I also don't know what the 'upstream' of the code is, if the PF- andCARP-developers also have commit access to FreeBSD or theFreeBSD-developers just take snapshots of the code from OpenBSD. When Ihave time I will try and find out and see what version of FreeBSD issimilair to OpenBSD's version.

___

When you need to 'debug' a complicated PF-setup, on OpenBSD (and I thinkon FreeBSD as well) you can do the following:


(pflog is in the default OpenBSD kernel, in (k)FreeBSD it's a module)
ifconfig pflog0 create (if needed at all)
ifconfig pflog0 up

setup a log rule in /etc/pf.conf and reload the PF-configuration.

And run tcpdump with the right options:

tcpdump -evnpti pflog0

It will show you exactly what is going, it will tell you packet A (firstof the TCP-connection I would guess) is allowed at pf.conf line X. Butpacket B is denied at pf.conf line Y.

This is very useful, but the default tcpdump in kFreeBSD is the one fromDebian GNU/Linux I believe which doesn't understand the pcap link-typePFLOG.

While you can do similair things with pflogd and a pcap-file, again itwon't help you much because tcpdump can't read that pcap file either.


There is even some extra syntax for tcpdump:

http://www.openbsd.org/cgi-bin/man.cgi?query=pflogd&sektion=8

___

PFSYNC is also a OpenBSD/PF-specific protocol for replicating thefirewall-state between two or more OpenBSD firewalls for failover and innewer versions of loadbalancing. tcpdump in atleast OpenBSD also hassome support for that.

___

CARP is the protocol which is also used by the ucarp-tool in DebianGNU/Linux., it provides virtual-IP-services for failover and evencertain forms of loadbalancing (atleast in OpenBSD, I don't think ucarpon Linux/BSD can do that).

___

Other things people on OpenBSD firewalls/routers do is dynamic routingwith OpenBGPd and OpenOSPFd. On OpenBSD they are in the default installand provide implementations for the BGP and OSPF network-routing-protocols.

I know there are older versions of OpenBGPd which were supported (it'sin ports) on FreeBSD, but as far as I know it's missing TCP-MD5-support,because that should be added to the kernel first.

Concerning OpenOSPFd I thing it's in ports as wel, but I don't know howwell that works. Again this is an older version.

So I won't expect Debian to port them, possible Quagga could be easierto deal with as FreeBSD has an up to date version of it in ports.


___

If you want me to create wishlist item Debian-bugs just let me know.

Or have any questions just let me know.

Hope this was helpful.

Have a nice weekend,
    Leen.

Reply to:

References:
- Releasability of the kFreeBSD ports
  - From: Philipp Kern <pkern@debian.org>
- Re: Releasability of the kFreeBSD ports
  - From: Tuco <tuco.xyz@gmail.com>
- Re: Releasability of the kFreeBSD ports
  - From: The Anarcat <anarcat@anarcat.ath.cx>

Prev by Date: freebsd-manpages upstream tar ball format (was: Re: kfreebsd freeze exception)
Next by Date: Processed: Re: Bug#593699: kfreebsd-image-7.3-1-686: kfreebsd-image crash in broken ACPI computers
Previous by thread: Re: Releasability of the kFreeBSD ports
Next by thread: Re: Releasability of the kFreeBSD ports
Index(es):
- Date
- Thread