FRESH

Hacker News

Home

Moving from OpenBSD to FreeBSD for firewalls

193 points by zdw

by hapless

0 subcomment

This post sounded faintly crazy to me, so I went into a little wiki-hole consisting primarily of mailing lists and dev docs
Turns out, the main reason `pf` is non-portable is that half of it runs inside Berkeley-type network stacks, often in kernel space, but the remainder is in user space.
So the miserable single-threaded `pf` on OpenBSD is still, in some part, single-threaded on FreeBSD, but for certain rule-sets, you will get the benefits of FreeBSD's intensively re-entrant and multithreaded TCP/IP, because those parts of `pf` are embedded in the network stack.
So depending on workload, a given `pf` configuration on OpenBSD might be perfectly equal to its FreeBSD counterpart, or hundreds of times slower. I feel like this gives a lot of context to the OP's grousing around "10 gbps"
P.S. To confess my own biases: a port of a `pf` configuration to a platform where some rulesets are high performance and others are not, that would not be very attractive to me. An improvement, but not a solution. I would be looking to move to a Linux stack. Baby steps, I guess. I have done worse things to better people!
P.P.S. I suspect this coupling between a re-entrant TCP/IP stack and a single-threaded firewall process is also why FreeBSD `pf` is never even close to feature parity with its OpenBSD counterpart -- it is just easier to do new stuff with a simpler model

by dylan604

1 subcomments

I once wrote a similar post to an DVD industry centric mailing list (remember those?) regarding switching to FCP7 from Adobe Premiere with a huge difference in how FCP7 would allow capturing of discrete audio channels vs Premiere forcing an interleaved audio stream. Eventually, a rep from Adobe contacted me through my company's PR team (a first for me) to go over the list of complaints. At the end, he agreed these were all valid complaints, and then asked "if Premiere added these changes would I be willing to switch back"? At that point, I said probably not as we'd now be fully switched to FCP7 in all departments. So I understand that sentiment as well. Honestly, I was shocked that someone actually read my missive and actually paid any mind to it. So maybe someone at OpenBSD will be as receptive if not equally unable to do anything about it.

by popknobinfanny

4 subcomments

Root on ZFS is an easy sell for me. OpenBSD's ancient filesystem is notoriously flaky, and they have no interest in replacing it anytime soon.
I can't be worried that critical parts of my network won't come back up because the box spontaneously rebooted or the UPS battery ran out (yes it happens — do you load test your batteries — probably not) and their bubblegum-and-string filesystem has corruption and / and /usr won't mount and I gotta visit the console like Sam Jackson in Jurassic Park to fsck the damn thing.
Firewalls are critical infra — by definition they can't be the least reliable device in the network.

by SoftTalker

2 subcomments

As noted, recent changes to OpenBSD TCP handling[1] may improve performance.
On a 4 core machine I see between 12% to 22% improvement with 10 parallel TCP streams. When testing only with a single TCP stream, throughput increases between 38% to 100%.
I'm not sure that directly translates to better pf performance, and four cores is hardly remarkable these days but might be typical on a small low-power router?
Would be interesting if someone had a recent benchmark comparison of OpenBSD 7.8 PF vs. FreeBSD's latest.
[1] https://undeadly.org/cgi?action=article;sid=20250508122430

by kuon

2 subcomments

I was using OpenBSD for my firewalls for a long time, but with the arrival of 10Gbit/s ethernet, I realized that I had to move back to ASIC based firewalls.
Yes, you can forward 10Gbit/s with linux using VPP, but you cannot forward at that rate with small packets and stateful firewall. And it requires a lot of tuning and a large machine.
A used SRX4200 from juniper runs at around 3k USD and you can even buy support for it and you can forward at like 40Gb/s IMIX with it.
I still prefer PF syntax over everything else though.

by yuvadam

13 subcomments

What's wrong with Linux for firewalls? Either openwrt, or any distro really.
Why would any BSD perform better?
(edit: genuinely curious why BSDs are such popular firewalls)

by somat

1 subcomments

I am not very familiar with FreeBSD's pf but my understanding is that fbsd integrated it from OpenBSD and then proceeded to put a fair amount of work in making it more performant(multi core) while OpenBSD put most of it's work into improving pf's features, At this point the two pf's are different enough that they are not really compatible. OpenBSD can't really use much of fbsds multi core work and FreeBSD is A. Is a lot more hesitant about breaking backwards compatibility and B. would need get the queuing structures to work with their kernel. In short FreeBSD pf is like using an old fast version of OpenBSD pf
In fact if you asked me to explain the difference between obsd and fbsd it is exactly this. fbsd focuses on performance and obsd focuses on ergonomics.

by asteroidburger

1 subcomments

Who is the "we" here? I've poked around a few pages on this fellow's site, and apparently haven't found the right one to answer that.

by awesome_dude

2 subcomments

> There are some things about FreeBSD that we're not entirely enthused about.
Damn I wish that they had expanded on this a bit (not to start a flame war, but to give readers a fuller picture, or even to prod the FreeBSD community into "fixing" those things)
edit: typo fix

by ThinkBeat

1 subcomments

I find it a bit odd that they seem to have gone from having OpenBSD as the standard and are not moving to FreeBSD and Ubuntu.
I an not sure what role these computers that may transition to Ubuntu do, there are probably good reasons, I wish he had expanded on it.

by Y_Y

4 subcomments

So you don't like OpenBSD, but you do like Ubuntu?
This person seems like they know wht they are talking about and given it serious thought, but I cannot fathom how you could make such a conclusion today.

by jmclnx

5 subcomments

For me, the only drawback for corporations is the 6 month upgrade. There is no LTS on OpenBSD.
I use OpenBSD as a workstation and it works great, but in a production environment I doubt I would use OpenBSD for critical items, mainly because no LTS.
It is a sad state of affairs because Companies do not want nor will want a system you need to upgrade so often even if its security very good.

by 0xWTF

2 subcomments

I don't understand why this has 29 points and no comments. What's so amazing about this?

by j45

2 subcomments

I just like the reference to 10G ethernet. It can't become normal soon enough.

by wslh

3 subcomments

I imagine a near future where TCP/IP stacks, and device drivers are interchangeable between operating systems. In Linux, NDISWrapper [1] enables to use Windows drivers in Linux but it's a wrapper (with all due respect to this project).
[1] https://en.wikipedia.org/wiki/NDISwrapper

by theideaofcoffee

2 subcomments

Just more navel-gazing from UTCC. I still don't understand why all of these submissions get upvoted so often. 10G performance just really isn't that interesting anymore, maybe around 2005 when it was the new kid on the block. If they were talking about squeezing firewall performance out of a box with a couple of 200g or 400g adapters and on run-of-the-mill CPUs and no offloading or something like Netflix publishes with their BSD work, I'd be more interested.