Handling FreeBSD's latest firewall semantics and frameworks

Adrian Penisoara

Despite having a powerful firewall service in its base system since early versions, known as the IPFW facility, FreeBSD has imported over time another popular packet filtering framework, the IPF system, and now is on the verge of importing the new kid on the packet filtering block, namely the open PF framework raised on the OpenBSD grounds.

Having three packet filtering frameworks at your feet might sound delightful, but actually choosing one of them or making them cooperate might give you the shivers. Each framework has its strengths and weaknesses and often has it's own different idea on how to handle certain aspects.

This tutorial will take a bird's eye view at these three packet filtering systems, detailing things where needed. It will address the latest additions in the IPFW semantics that try to raise its versatility to match the other ones and it will detail the facilities offered by the new generation packet filters.

Two of these frameworks offer traffic shaping capabilities: we will review the Dummynet module in IPFW and the QoS services offered by PF with the help of the ALTQ framework. The nature of the shaping capabilities differ though much enough to match their use by the type of service that it's required.

Lastly, reuniting these three filtering systems poses certain problems related to the hooking point in the network stack and this issue is being addressed by the PFIL (packet filter interface) framework. We will see why and how this is being done.

Adjacent to the last topic, we will discuss the opportunity of a unified packet tagging mechanism to be used by various networking services.

Users

FreeBSD

Standard

Adrian is a networking specialist with over ten years of industry experience into the ISP field. He has contracted the FreeBSD virus at a very young age (more exactly since the 2.1.x times) and has been stuck with it ever since (that's not to say that he has not touched some other OSes such as OpenBSD, NetBSD, Linux, Solaris, etc). More recently he has been involved in some open-source projects such as the ROFUG user group and the FreeBSD-ALTQ project. Currently he makes a living as a teaching assistant and he also has a part-time ISP job. At home he is tormented by his own network of six computers and he is a proud owner of an Apple iBook and a Power Mac G4. All he's missing now to become one of those UNIX gurus that he always worships is a horde of cats.