Date: Thu, 5 Nov 2020 12:53:04 +0000 From: Thomas Laus <lausts@acm.org> To: Mateusz Piotrowski <0mp@FreeBSD.org> Cc: "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org> Subject: Re: Using OpenBSD guest as PF firewall Message-ID: <010001759877babf-ecf79ea6-31d9-49bf-85c5-b93c2689cb96-000000@email.amazonses.com> In-Reply-To: <b0aa514b-abb1-983b-c864-2e9d080b4f55@FreeBSD.org> References: <01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@email.amazonses.com> <974524126.1643642.1604508967098@mail.yahoo.com> <0100017594cd88fb-b5e708e7-8213-4c8e-9446-9b1a28fb2a61-000000@email.amazonses.com> <1520318938.1718710.1604519358758@mail.yahoo.com> <b0aa514b-abb1-983b-c864-2e9d080b4f55@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/4/20 4:40 PM, Mateusz Piotrowski wrote: > > Just for the record, the pf version currently available in FreeBSD is > not just an old OpenBSD pf. See the note in the PF chapter in the > handbook (https://www.freebsd.org/doc/handbook/firewalls-pf.html): > > "Warning: > > When reading the PF FAQ, keep in mind that FreeBSD's version of PF has > diverged substantially from the upstream OpenBSD version over the years. > Not all features work the same way on FreeBSD as they do in OpenBSD and > vice versa." > OpenBSD has all it's PF functionality built as part of their standard kernel including traffic shaping queues. Their rule syntax has also been simplified over the version in FreeBSD. I can write a 'pass in' for a port, assign it to a queue, and redirect the output to another port all in one statement. The version in FreeBSD is a little more complicated. FreeBSD's version also requires recompiling the kernel source to activate the queues. Running an OpenBSD firewall front end to a FreeBSD bhyve host has a small overhead of less than 1G of disk and 1G of RAM on a server with 16G of RAM and 1T of disk. OpenBSD uses 'syspatch' for binary upgrades. I would have to recompile the kernel source each time on a FreeBSD host to have bandwidth shaping queues. Tom -- Public Keys: PGP KeyID = 0x5F22FDC1 GnuPG KeyID = 0x620836CF
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?010001759877babf-ecf79ea6-31d9-49bf-85c5-b93c2689cb96-000000>