There's a culture of documentation in BSD which exceeds Linux. There's a larger commercial/reputational market for a Linux book of course, but that attracts different writers, who are often not as good/knowledgeable/motivated/dedicated/etc as the BSD documentation writers.
Additionally, BSD has a culture of simplicity and consistency which is entirely absent in Linux. This makes documentation more clear and much more durable.
(I've used both FreeBSD and NetBSD in the past, this is not a baseless claim)
I kid. Sort of. Systemd is a great startup launcher -- maybe even an improvement over rc.d. Although I confess I've never had any issues with rc.d. Systemd can be quicker, which is nice, but 15 seconds saved on a server that reboots very infrequently is not super interesting. More importantly, the rest of systemd is less compelling.
I wish Linux’s firewalls were so easy to configure. The closest I’ve found there is with ufw, which isn’t nearly so comprehensive or straightforward, but at least goes in the right direction.
nft (nftables) is easy and has a similar pf-like 'feel' while offering way more functionality. After decades of `iptables` (and `ipchains` before) nft(ables) is a breath of fresh air.
The scenario is like the cgroup v1 and v2 change.
The clearest example of this was the megaraid command for lsi raid cards. It's commands are documented in the getopt style but I accidentally found out that the dashes were optional. And while the syntax was still sort of ass, my scripts were much easier to read.
FWIW I have the previous edition of the Book of PF on my bookshelf but I rarely reference it after reading through it a couple years back. Standard homelab-grade rulesets are pretty straightforward to setup.
I will say, they all pretty much work, until you get into more esoteric stuff; do you want to drop syns where the last 16-bits of seq match the client's port number? Do you want to drop UDP RTP packets for a specific SSRC? If so, that need may guide your firewall choice. If you need to sync states between two stateful firewalls, that pushes you to pf with pfsync. Etc.
I guess I didn't see a big difference in perceived happiness between any of the rules systems? pf.conf is maybe more picky and checks everything at once, which is nice so you don't end up with a half baked ruleset.
Otoh, pf has the feature that OpenBSD changed the rule syntax, and the ported versions didn't; I'm not sure a forced migration of rule config would have sparked joy for OpenBSD users anyway, but it certainly doesn't spark joy when I read current documentation for the OpenBSD pf and can't apply it directly, and have to translate the config language to the original language.
Pf also has the extra special feature that Apple ported pf to MacOs but some things don't work properly for a host firewall (synproxy in mac os pf only works if the mac is operating as a router, not as a host... And mac os's tcp stack has no syn flood mitigation, beyond having a small listen backlog or not accepting syns directly from the internet). That's an Apple failing, not really a pf failing, but still, frustrating.
I'll have to look again and see if FreeBSD pf has gotten the features I need from ipfw, so maybe I don't have to run two firewalls at the same time. :(
I'm guessing this is something about a vulnerability in client sequence number selection? I'm curious about the details here for what would motivate this.
Sorry again! I really did just make this up.
I was hoping it was like a nice programming language whose internal structure made sense to an experienced developer. Where I can incrementally build things up and log things to the console as I go along and troubleshoot. But it turns out that setting up a vpn involves a big bang config with a dozen lines and it’s unclear which of them is broken.
It’s a DSL and not a programming language and often there is very little you can do to troubleshoot that’s short of reading the source code, the protocol spec, and firing up wireshark.
I found various configs on random websites or in the openbsd manual, but none seemed to do the trick. I gave up and installed Tailscale.
This isn’t a knock on PF. But years of reading glowing comments like this gave me some false hope that I could finally grok this stuff and maybe do some creative projects with it.
I've heard (but not read) good things about his fictional works as well, e.g., $ git commit murder:
bpf is a virtual machine to process network packets in kernel space. So it is sort of like the low level assembly language of network processing. It is entirely possible to build a high-level packet filtering language that compiles down to bpf, But I don't think PF does this. PF appears to use it's own specific network processing interface.
Note the pf specific ioctls used to inject rules into the kernel.
It has OpnSense installed, but you can install anything you want
4GB RAM, 16GB ssd, wifi
skywal_l•10h ago
petegordon•10h ago
Rygian•9h ago
>A few questions immediately pop into readers' minds on hearing this news. The ones I get most often are,
> Why now? What took you so long?
>which quite frequently combines with
> What changed? Are previous editions now useless?
Which somehow contribute to highlight the inadequacy of the reader for not knowing what PF stands for in the first place.
depr•9h ago
radiowave•8h ago
andrewflnr•5h ago
Rygian•4h ago
HN is a place where people come to get exposed to a very diverse list of topics, from seismic faults to quantum computing.
As such, my expectation is that an article linked on the front page has a minimum of context for those coming from far away. In this case, the article that was chosen onto the front page not only lacks that context, but also is blissfully unaware of this expectation. Which is perfectly fine and normal for the author and for the intended readership.
I found that mismatch fun to read, in the "frequent questions" part of the article, and did not anticipate that my remark would be taken as caustic.
mananaysiempre•8h ago
Please don’t assume everybody who presupposes knowledge does so to assert their intellectual superiority. Presupposing knowledge is how we can communicate anything at all in a culture where one can be a dozen inferences or a couple of years of learning away from even understanding a question. And people who assert their intellectual superiority usually aren’t worth listening to at all—so if you end up concluding that every smart person is doing it, or even most of them, or most of them in a field, then you have a wide-ranging misunderstanding of some sort. This, about presupposing knowledge, is one that could be. (Another popular one is not understanding that, in mathematics, “obvious”, etc., does not mean “skill issue if you don’t get it” but rather “you’ve missed something important if you don’t get it, go back and think on it some more”.)
ecb_penguin•7h ago
Eventually let's just put the entire article in the title.
> not knowing what PF stands for in the first place
I'm going to level you up 10x right now.
1. Select the text "Book of PF" in Chrome
2. Right click on it
3. Search with Google
4. Read the summary "OpenBSD's stateful packet filter, PF, is the heart of the OpenBSD firewall"
BOOM! You can now do this with anything you don't know! You no longer need to ask someone to explain everything to you!
Spooky23•4h ago