Update2:I have updated my experience with trying to use FreeBSD 10 as a PF firewall. Spoiler alert, it goes much better than this. Please read the new review for an update.
Update1: Let me preface this article by saying that the below install was done on 9.0 release day. I've been told that on release day ports might not be totally up to speed. The packages mentioned below that were broke have been reported to me as fixed. I have not checked this myself. In any event every word below is true and reflects a FreeBSD 9.0 install on release day.
It seems like every 3 or 4 years I try out FreeBSD to see if it can replace my OpenBSD firewall. I was assembling a new firewall and decided to try the just released FreeBSD 9.0. It had so many cool new features and most importantly it had PF as an available packet filter. I would be replacing an older install of PF and my rulsets would have worked perfectly on this box without any modification (Later releases of PF changed the structure of the rules).
The process started out great. Put a pre-made usb image of the installer on a old usb stick. OpenBSD does not offer this so score one for FreeBSD. During install you can turn on Trim support for your filesystems if you have an SSD. OpenBSD does not have this either. Score two for Free. The install was a breeze. This was looking fantastic so far. Logged in for the first time and did an update. That went very well. Unfortanatly, it was a downward spiral from there.
Before doing any of my PF setup I needed to get a few packages installed that I use on my firewall. I use Postfix as a mail relay on my network. Postfix talks to my ISP via SASL and TLS. Any machine on my network can send mail to it and it will relay that mail through the ISP. I install the FreeBSD prebuilt package for Postfix. I setup the config and fire up Postfix. I send a test email that does not go through. Checking the logs it tells me SASL is not built into Postfix. No problem I think. OpenBSD has a seperate package built with SASL for Postfix, surely FreeBSD has done the same right? Wrong! Crap, now we have to use ports.
In FreeBSD ports is a collection of files you will need to compile (build) applications. I thought I could get through a full system setup and not use the ports system like I can on OpenBSD. I was sadly mistaken about this. As I find out later with PF and Postfix and who knows what else, unless you have the most basic of setups your going to need ports with FreeBSD. So I go to install the files for ports since I did not do it during install. The fantastic FreeBSD handbook guides you through installing ports. One little issue. The FreeBSD handbook has not be updated for FreeBSD 9.0. FreeBSD 9.0 does not use sysinstall anymore yet they have not disabled it. So it looks like it might work but then bombs out. It took a while to find this out no thanks to the handbook. Many google searches point to using sysinstall to install ports. I took some other advice from the handbook and just used csup and portsnap to get the source. Not as easy but it finally worked. I got Postfix compiled with SASL and it worked fine after it installed.
I installed a few other basic packages I needed from the precompiled packages and then started on PF. I checked the handbook again on PF just to make sure there were no suprises. Suprise, I find out ALTQ is not built into the FreeBSD kernel, nor is it built as a kernel module for the generic kernel. Really? You can't even build it as a kernel module so it can be loaded if need be. Good grief. Now we have to build a new kernel with ALTQ. Glad we already have ports. ALTQ is built into the generic OpenBSD kernel by default. Now I'm starting to wonder if this was a good idea. I built the new kernel with ALTQ in it and the install went great. I'm not done yet but I can't take much more of this constant building of things that just seem to work on OpenBSD. But I'm a trooper so I continue.
Now that PF w/ALTQ is working we need some tools to help with managing pf. Pftop is a fantastic way to view all of the traffic going through your PF firewall in realtime. It is a must have for anyone using PF as a firewall. I can't say I'm shocked that there is no precompiled package for it. That seems to be the theme. On to ports then. I switch to ports and run my make to start the compile. Low and behold I get this nice message "PFtop port is broke ===> pftop-0.7_1 is marked as broken: does not compile on 9.X". Are you f'ing kidding me! Broken! Thats just great. Well I wonder, how about another PF package I want to install called PFflowd. I switch to that ports dir and run a make. I get "PFFlowd is broke "===> pfflowd-0.7 is marked as broken: does not compile.". That is my breaking point. Both of these can be installed as packages in OpenBSD in about 10 seconds. That is when I knew I was done with FreeBSD.
I wanted this to work out so bad. Your community looks so much friendler than OpenBSD's. You focus on performance and more cutting edge things than OpenBSD, but alas when it comes to being PF firewall you stink. Your PF ports are broken, you have to compile ALTQ into the kernel or a module, and even your Postfix package needs to be recompiled to support SASL. I'm sure your good at many other things like webservers or big filesystems using ZFS, but you don't seem to give to much love to PF or its packages. Hopefully in the future all the packages will be fixed by 9.1, and someone will make the decision that ALTQ is worthy of being compiled into the generic kernel (or as a module). I wish you the best FreeBSD
One of the reasons I fought so hard to stay with FreeBSD was for the TRIM support it's filesystem offered for my SSD. Also, FreeBSD supported the old PF ruleset format I had, so I would not have had to update my rules. Doing more research I found out that my SSD has a built in garbage collection routine so TRIM support was not a must, it would just help expedite cleanup. After reading that I was willing to just update the PF rules so I could get back to a nice simple OpenBSD box. PF is made by the OpenBSD group and its no wonder why they have so much support for it. I learned a lot about FreeBSD in this process but the journey was way to long and invloved. My install of OpenBSD went smoothly, and all of the packages for PF installed fine and worked without issue. Postfix w/SASL installed right from a package and there were no kernel recompiles. Also, there was no need to load the OpenBSD ports collection which saved me a ton of space (did I mention FreeBSD ports was a few Gigs just by itself). The whole OpenBSD install was less than 1 Gig. When you can run your whole distro from pre made packages it can really cut down on disk space and time to install.
I tried to stray but nobody does PF better than the creator. The grass was not greener. The simple and fast install is a pleasure to use. The minimal disk space it takes up is rare these days. The package maintainers make multiple versions of popular packges with different options compiled in so each person can have what they want. OBSD has everthing a person could want when making a firewall using PF. I do wish that in the future they will update the filesystem with some speed improvements and more features. Also, possibly make a bootable install image that can easily be put on a memory stick like FreeBSD does. Time to head over to the OpenBSD store to buy some things to help support the cause.
