From owner-freebsd-virtualization@freebsd.org Thu Nov 5 12:53:08 2020 Return-Path: Delivered-To: freebsd-virtualization@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2B6C0467773 for ; Thu, 5 Nov 2020 12:53:08 +0000 (UTC) (envelope-from 010001759877babf-ecf79ea6-31d9-49bf-85c5-b93c2689cb96-000000@amazonses.com) Received: from a48-89.smtp-out.amazonses.com (a48-89.smtp-out.amazonses.com [54.240.48.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CRk2q3SWqz4fMT for ; Thu, 5 Nov 2020 12:53:07 +0000 (UTC) (envelope-from 010001759877babf-ecf79ea6-31d9-49bf-85c5-b93c2689cb96-000000@amazonses.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1604580785; h=Reply-To:To:References:From:Cc:Subject:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=2QOdZ19H8iNLjF+x3yHJUlzezZo0paUJYjzxu4h2MG0=; b=KQHxn7SxJP//VxrlmCP7eemmD01iVxh+ABMz+hR7SUIqFA3bV4z/CzArYrLA3eze 2qnuywGzAj8abt4kvx/PN8mNvkw4sOMtn5I+K/P4/tvDWz3k/+MzI7CgX8V+VbyvBQz A8ytUluiVKruXcar/qJMIAg73yOAAMl31R5hXJtk= Reply-To: lausts@acm.org To: Mateusz Piotrowski <0mp@FreeBSD.org> References: <01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@email.amazonses.com> <974524126.1643642.1604508967098@mail.yahoo.com> <0100017594cd88fb-b5e708e7-8213-4c8e-9446-9b1a28fb2a61-000000@email.amazonses.com> <1520318938.1718710.1604519358758@mail.yahoo.com> From: Thomas Laus Cc: "freebsd-virtualization@freebsd.org" Subject: Re: Using OpenBSD guest as PF firewall Message-ID: <010001759877babf-ecf79ea6-31d9-49bf-85c5-b93c2689cb96-000000@email.amazonses.com> Date: Thu, 5 Nov 2020 12:53:04 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.3.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-SES-Outgoing: 2020.11.05-54.240.48.89 Feedback-ID: 1.us-east-1.9pbSdi8VQuDGy3n7CRAr3/hYnLCug78GrsPo0xSgBOs=:AmazonSES X-Rspamd-Queue-Id: 4CRk2q3SWqz4fMT X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=pass header.d=amazonses.com header.s=224i4yxa5dv7c2xz3womw6peuasteono header.b=KQHxn7Sx; dmarc=none; spf=pass (mx1.freebsd.org: domain of 010001759877babf-ecf79ea6-31d9-49bf-85c5-b93c2689cb96-000000@amazonses.com designates 54.240.48.89 as permitted sender) smtp.mailfrom=010001759877babf-ecf79ea6-31d9-49bf-85c5-b93c2689cb96-000000@amazonses.com X-Spamd-Result: default: False [1.30 / 15.00]; ARC_NA(0.00)[]; HAS_REPLYTO(0.00)[lausts@acm.org]; R_DKIM_ALLOW(-0.20)[amazonses.com:s=224i4yxa5dv7c2xz3womw6peuasteono]; FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:54.240.0.0/18:c]; MIME_GOOD(-0.10)[text/plain]; REPLYTO_ADDR_EQ_FROM(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; DMARC_NA(0.00)[acm.org]; SPAMHAUS_ZRD(0.00)[54.240.48.89:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[amazonses.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[54.240.48.89:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[lausts@acm.org,010001759877babf-ecf79ea6-31d9-49bf-85c5-b93c2689cb96-000000@amazonses.com]; RCVD_COUNT_ZERO(0.00)[0]; RWL_MAILSPIKE_POSSIBLE(0.00)[54.240.48.89:from]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[54.240.48.89:from]; ASN(0.00)[asn:14618, ipnet:54.240.48.0/23, country:US]; FROM_NEQ_ENVFROM(0.00)[lausts@acm.org,010001759877babf-ecf79ea6-31d9-49bf-85c5-b93c2689cb96-000000@amazonses.com]; MAILMAN_DEST(0.00)[freebsd-virtualization] X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Nov 2020 12:53:08 -0000 On 11/4/20 4:40 PM, Mateusz Piotrowski wrote: > > Just for the record, the pf version currently available in FreeBSD is > not just an old OpenBSD pf. See the note in the PF chapter in the > handbook (https://www.freebsd.org/doc/handbook/firewalls-pf.html): > > "Warning: > > When reading the PF FAQ, keep in mind that FreeBSD's version of PF has > diverged substantially from the upstream OpenBSD version over the years. > Not all features work the same way on FreeBSD as they do in OpenBSD and > vice versa." > OpenBSD has all it's PF functionality built as part of their standard kernel including traffic shaping queues. Their rule syntax has also been simplified over the version in FreeBSD. I can write a 'pass in' for a port, assign it to a queue, and redirect the output to another port all in one statement. The version in FreeBSD is a little more complicated. FreeBSD's version also requires recompiling the kernel source to activate the queues. Running an OpenBSD firewall front end to a FreeBSD bhyve host has a small overhead of less than 1G of disk and 1G of RAM on a server with 16G of RAM and 1T of disk. OpenBSD uses 'syspatch' for binary upgrades. I would have to recompile the kernel source each time on a FreeBSD host to have bandwidth shaping queues. Tom -- Public Keys: PGP KeyID = 0x5F22FDC1 GnuPG KeyID = 0x620836CF