IPTables vs pf

[darkfoon]

I'm building a "busy box" for LAN parties that will act (among other things) as a firewall/router.
The only thing that is determining the OS that I use is whether the OS can run the Steam Linux Dedicated Server. I know FreeBSD, which has pf, has Linux Binary Compatability, so that OS is an option. Currently I am testing with an Arch Linux box with IPTables.

So, I'm curious, does IPTables have any security risks that make it inferior to pf?

 

[cleverhandle]

Originally posted by: darkfoon
So, I'm curious, does IPTables have any security risks that make it inferior to pf?

Security risks? Not if you've set it up properly, no. But PF is generally considered to have the easier syntax to work with, which can be helpful when you're writing complex rulesets. PF is also usually the first to get various features (e.g. OS fingerprinting) that appeal to firewall geeks. But for probably 90% of all installations, the two are functionally equivalent.

 

[darkfoon]

For sake of argument, we'll assume I have set it up properly; whether I actually do or not is another matter.

I looked at the PF syntax, and I agree that it has easier syntax than IPTables. Much easier.
However, since I have this server mostly set up at the moment, I think I'll stick with IPTables and Arch linux until I find some kind of limitation, at which point, I'll consider other OSes like OpenBSD or FreeBSD.

Thank you for your input.

 

[Brazen]

Use Webmin to administer your iptables firewall and it makes it much much easier. If it is STILL too complicated, you could also use Shorewall (also administerable through Webmin) which has simpler syntax and then converts the rules into iptables rules.

 

[BurnItDwn]

Iptables is great.
pf is great.

I switched over from Iptables on a 2.4 linux kernal to pf on openBSD4.0 earlier this year. My network has never been comprimised since the old days of using ipchains .... but I made the switch just because I got an old box that I decided to use as a dedicated firewall/nat box. My "server" is now just a server ... and no longer used for NAT.

That said ... you should use whatever you are more comfortable with. I run Slackware (server), Knoppix (Knopmyth Mythtv htpc), OpenBSD 4.1 (my old p3 450 laptop as well as my newwer p4 laptop), OpenBSD 4.0 (firewall/Nat), and Windows XP (gaming rig) .... As of the last several months, I've generally preferred OpenBSD over any flavor of Linux for anything new, or for my old hardware ... but Both are great at whatever tasks are thrown at them.

 

[drag]

Easy != Better.
Simple != Easier.


Sometimes software designed to be 'Easy' is not very good software. Also, much more often, software has to be very complex to be simple for users to use..

The nice thing about PF being simple is that there is less to go wrong. It's much easier to deal with and less likely that something will go wrong with it. With Linux and IPtables the trend is to simply depend on other people to make good rules and write 'easy' front-ends for your use. Sometimes it works, sometimes it doesn't.

I don't know to much about the technical differences, but I wouldn't be suprised if Iptables is a bit more capable and even a bit more faster then PF, but it's not something that is going to matter to the vast majority of people. For everybody's purposes here I would expect that they are both very capable of doing anything you'd like to do.

 

[darkfoon]

Well, I settled with IPTables because I know how to set up my server in Linux. Before I started this, I didn't know either IPTables or pf; now I know a little about IPTables.

I'm rather familiar with OpenBSD, and I like the base install environment: nothing extra. I feel like I have a clean slate to build on top of, where with other OSes I have to find things to turn off. This is also why I have stuck with Arch Linux in this project. I had heard some good things about it in forums, so I decided to try it for my server. Its very "OpenBSD-like" in its design. Not "secure by default", but there is nothing running to disable. I don't believe that it has grsec or W^X or anything like that patched into its default kernel, but my box isn't going to be that mission-critical, nor do I need that much security for a LAN party router.

But mostly I stuck with Linux because OpenBSD doesn't run the Steam Dedicated Server client (which is for linux). Maybe there's a way to hack it to run with OpenBSD, but it was another headache I didn't want to deal with. If anybody knows about this, I would be very appreciative of the knowledge.

I tried webmin. I didn't like it. I had no idea what kind of rules it would write. Also, webmin royally messed something up, because when I removed it, my kernel barfed all kinds of errors at boot, so I did a clean install to make sure it was all gone.
Quite frankly, I've gotten used to SSHelling into my box and manually writing the rules.

For dedicated router/firewall boxes, I use pfSense. I love the web interface, and creating rules makes sense. webmin made rule creation annoying. Writing IPTables rules by hand isnt all that difficult, now that I have a rudimentary grasp of how it works.

Thanks all for your input

 

[drag]

Some operating systems, like FreeBSD or Solaris, feature Linux binary compatability support. If the client doesn't have to much dependancies it should work in either.


OpenBSD binary compatability is mentioned at:
http://www.softwareinreview.com/cms/content/view/56/

Keep in mind that Linux generally outperforms OpenBSD by a wide margin in most benchmarks. I don't know about the Steam server, but if your hitting the cpu or I/O hard then I'd just stick with Linux. If it's not very demanding then it doesn't matter very much what OS you'd use, I suppose.