Netfilter vs PF ? (not a troll) - Security

This is a discussion on Netfilter vs PF ? (not a troll) - Security ; Hi, First, I'd like to say I don't want to start a troll or anything but I've been wandering for quite some time now which firewall was "the best" between Packet Filter (PF in OpenBSD) and Netfilter (2.6 kernel Linux). ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Netfilter vs PF ? (not a troll)

  1. Netfilter vs PF ? (not a troll)

    Hi,

    First, I'd like to say I don't want to start a troll or anything but I've
    been wandering for quite some time now which firewall was "the best" between
    Packet Filter (PF in OpenBSD) and Netfilter (2.6 kernel Linux).

    The thing is I bought a WRAP (PC Engines) and I'm willing to install one of
    those 2 on it. Since performance (throughput, latency, % loss), security
    (OpenBSD is well known for security, so I'm wandering if there has been any
    vulnerability in Netfilter) and "plugins" (PFsync, CARP, ALTQ i.e) are the
    only things that matter to me (much more than the diffence between the
    syntax or the plateform), I'd like your help to make my choice.

    I know many would say "the best is the one that suits you better" but I'd
    like so see some benchmarks and purely technical differences instead...
    Something like : http://www.benzedrine.cx/pf-paper.html but up-to-date.

    I hope that asking about PF isn't forbidden

    Thanks

    Akane.



  2. Re: Netfilter vs PF ? (not a troll)

    "Akane" (06-10-18 00:32:19):

    > First, I'd like to say I don't want to start a troll or anything but
    > I've been wandering for quite some time now which firewall was "the
    > best" between Packet Filter (PF in OpenBSD) and Netfilter (2.6 kernel
    > Linux).
    >
    > The thing is I bought a WRAP (PC Engines) and I'm willing to install
    > one of those 2 on it. Since performance (throughput, latency, % loss),
    > security (OpenBSD is well known for security, so I'm wandering if
    > there has been any vulnerability in Netfilter) and "plugins" (PFsync,
    > CARP, ALTQ i.e) are the only things that matter to me (much more than
    > the diffence between the syntax or the plateform), I'd like your help
    > to make my choice.


    Currently I can only speak for Netfilter. The most recent (serious) bug
    in Netfilter was a little signedness bug in handling the TCP options
    field, which were to lead to an endless loop in kernel mode, when
    triggered with certain values. This bug is about a year old by now.

    Performance is pretty good for Netfilter, but AFAIK it's a lot better
    for PF, at least since OpenBSD's network stack itself is faster Linux's.

    I suggest, you try and stress-test both.


    Regards,
    E.S.

  3. Re: Netfilter vs PF ? (not a troll)

    Ertugrul Soeylemez wrote:
    > "Akane" (06-10-18 00:32:19):
    >
    > > First, I'd like to say I don't want to start a troll or anything but
    > > I've been wandering for quite some time now which firewall was "the
    > > best" between Packet Filter (PF in OpenBSD) and Netfilter (2.6 kernel
    > > Linux).
    > >
    > > ...snip...

    >
    > Currently I can only speak for Netfilter. The most recent (serious) bug
    > in Netfilter was a little signedness bug in handling the TCP options
    > field, which were to lead to an endless loop in kernel mode, when
    > triggered with certain values. This bug is about a year old by now.
    >
    > Performance is pretty good for Netfilter, but AFAIK it's a lot better
    > for PF, at least since OpenBSD's network stack itself is faster Linux's.
    >
    > I suggest, you try and stress-test both.
    >
    > ...snip...


    I personally find pf much easier to configure and manage (syntax and
    feature wise), than iptables (netfilter) based; packet filtering / port
    mapping / traffic shaping / load balancing boxen.

    Joel.


  4. Re: Netfilter vs PF ? (not a troll)

    On 18 Oct 2006 22:47:44 -0700
    "Joel Shea" wrote:
    >
    > I personally find pf much easier to configure and manage (syntax and
    > feature wise), than iptables (netfilter) based; packet filtering / port
    > mapping / traffic shaping / load balancing boxen.


    Does this apply to the configuration with a public FTP server with
    a routable IP address behind the firewall?

    Thanks!
    -- mikhail

  5. Re: Netfilter vs PF ? (not a troll)

    > Currently I can only speak for Netfilter. The most recent (serious) bug
    > in Netfilter was a little signedness bug in handling the TCP options
    > field, which were to lead to an endless loop in kernel mode, when
    > triggered with certain values. This bug is about a year old by now.


    Ok, so security isn't a good point to make my choice !

    > Performance is pretty good for Netfilter, but AFAIK it's a lot better
    > for PF, at least since OpenBSD's network stack itself is faster Linux's.


    Is it still true when applying filters and nat ?

    > I suggest, you try and stress-test both.


    I'll do that and post the benchs when I finally get some free time !

    Thanks,

    Akane



+ Reply to Thread