openbsd 3.0 and ipf

i am doing a clean install of stable "just released on ftp" openbsd 3.0. as
of release 3.0 openbsd does not include ipf, they use a new firewall called
pf. i am sure you guys knew that so that is why i am asking ya this
question.

question: i dont want to use pf i want ipf which i have used for years, but
never upgraded or compiled from src. i just used what was present. is it
possible to dl the newest ipf and compile it to work on 3.0. if sombody has
already made a package please advise otherwise please give detailed
instructions on how to compile, install and other changes that need to be
made "like uninstall pf of disable it".

ps. if you guys know of any good openbsd forums and places that folks share
packages please post addy.

thanks,
easytoker

Finally a real OpenBSD question.

>> i dont want to use pf i want ipf which i have used for years

Same here. Though, I have been playing around with pf for several months but I don't like it for several reasons:
1) In 2.X, ipf on OpenBSD didn't have a good record in stability. It was broken in all version except 2.9-current prior to its removal. This leads to (2) below.
2) pf, being a brand new packet filter, the stability of it is very doubtful. Unless it's been tested for a year or so, I don't think it's usable in a production environment at this moment.
3) pf's author claimed that pf's syntax is compatible with ipf but that's not so true. pf seems to have an easily-readable rulesets than ipf and that's the only advantage I have experienced with so far. The problem is, when we are migrating to something new, it takes time and money and I can't afford it at this moment. So I'd wait and see.

>> is it possible to dl the newest ipf and compile it to work on 3.0

Definitely but not a wise move just because ipf can no longer be built into the kernel. That was the reason why I didn't try to look for the answer for your same question.

>> if you guys know of any good openbsd forums

http://www.deadly.org/
http://www.openbsdpost.net/ (not 24/7, perhaps 6/3)
http://www.daemonnews.org/

>> places that folks share packages please post addy

Don't know any. Why don't you search google.com?

Just so you know, I used to run 4 OpenBSD boxes plus other BSDs and I have 2 Open left (2.9-current and 3.0-current). 2 of them were being migrated to NetBSD and FreeBSD.
So my question is, is there any valid reason why you can't migrate to Net/Free so you can continue to use ipf?

i have heard that you can compile it to kernel. i think you have to ditch the original kernel and create your own from src. even if you cant compile it to kernel i dont think that is an issue because daren ipf site says if you can run as a loadable mod. then do that instead of compiling to kernel. i need to figure out how to remove pf so they dont conflict each other. i totally agree with you about pf. i see it as beta, and poor beta at that. it lacks so many features ipf has and for stability ha... i crashed pf many times running nessus, nmap and other tools against the firewall checking for problems. it wont be in my production network anytime shortly. it will be great but it has to pay its dues first. if theo made it impossible to add ipf then he contradicted himself on his open policy. if i cant mod. the O.S. to what i want then its of no use to me. if i am forced to use pf or nothing at all then theo is just as bad as microsoft.

why cant i move to net/free?
i can but i have been using open for yrs. i have never had one hacked and yes there are several hundred attacks a day on some high profile boxes. you say ipf was unstable on all except 2.9? i have had very little issues with ipf. i just patched when advised and i dont recall having ipf being that unstable. but as you said it has had its issues and fixed, tested-fixed, tested-fixed, etc... and has matured into a great firewall. we have had free/net boxes of different revs. compromised over the years and not one openbsd box has ever been wacked ,in my data center, and that says alot to me. our engineering team has bought several copies of each openbsd release over the yrs. trying to support them, but we decided to d/l and try 3.0. if we find that they have made it impossible to use the apps we want then i cant see why we would continue to support them. i guess i need to look at netbsd and try it.

thanks,
easytoker

>> i think you have to ditch the original kernel and create your own from src

I'm not the type of kernel hacker. However, please post the link here if you found one.

>> you say ipf was unstable on all except 2.9?

Except 2.9-current. Because stock ipf on Open have been highly patched and audited aggressively on security, some of the features like traceroute behind router, return-rst and return-icmp-as-dest(port-unr) were broken. Darren confirmed it was Open's decision bugs.

>> i dont recall having ipf being that unstable

Actually it's not that unstable but barely usable. Comparing to ipf on NetBSD, I have to say it's far more stable on NetBSD. Maybe you should give NetBSD a try.

>> we have had free/net boxes of different revs. compromised over the years

Local exploits or remote ones?

>> we have had free/net boxes of different revs. compromised over the years

Local exploits or remote ones?


freebsd: had both several times... that is why we use it for desktop vrs. security implementations. free sure is nice for a desktop. i consider it to be the slackware for bsd.

netbsd: just had one instance with a local hack.

>> i think you have to ditch the original kernel and create your own from src

I'm not the type of kernel hacker. However, please post the link here if you found one.

neither am i that is why we need a developer to help us make a port or package. it was word of mouth that i heard this. i will try to search some more.

ps. freebsd.. it is nice talking to you. you share your opinion in a professional way without getting upset when others have opinions that differ from yours.

what we need for openbsd is a place where 3party developers and users can share there ports and packages.