Is there a purpose for using pf if you have a hardware router/firewall?

[guitarscn]

I haven't started using pf yet, but I'm wondering if it would still be worth using if I already have a built-in firewall with my router and what the difference is between that and setting up a dedicated box as a pf firewall for everything to run through first before reaching any other computers on my network as opposed to not having one and just using the firewall router.

[BSDfan666]

There are many benefits.. what you call a router is simply a embedded packet filter, a firewall is just a term used to describe some of the features it provides.

If you were to replace the router with a dedicated OpenBSD router, there would be benefits.. advanced networking abilities.. flexibility.. and access to the source code is always nice.

I'm not going to list all the benefits of using OpenBSD instead of some embedded device running a generic RTOS, but personally.. I would always choose the former over the latter.

Hope it helps..

[BSDfan666]

Note; there is no reason to have both... if that's what you were asking, it would be highly redundant.

[ctaranotte]

Quote:

Originally Posted by guitarscn

I haven't started using pf yet, but I'm wondering if it would still be worth using if I already have a built-in firewall with my router and what the difference is between that and setting up a dedicated box as a pf firewall for everything to run through first before reaching any other computers on my network as opposed to not having one and just using the firewall router.

Your main concerns should be:

1) The nature and volume of the expected traffic. Would you have a FTP, HTTP and/or SSH server? Would you do some p2p? Would you use an XBox?

2) The specifications of your network: would it link two desktop computers? More computers and a server? Or else?

3) The specifications of the router: is this a heavy-duty router or one you just bought from you favorite consumer hardware shop? Could it handle the nature and volume of your traffic?

Depending on your answers to 1), 2) and 3), my guess is that you might better scrap your router for a dedicated box (OpenBSD, FreeBSD or NetBSD), pf, AltQ and a switch instead.

Hope its helps.

[jggimi]

Why use PF if you're not using OpenBSD as a router or bridge? Perhaps it's being used as a small server, or perhaps a workstation?

• Filtering rules can be used to control access out, or access in.
• Queue management rules can be used to shape outbound traffic
• State table management rules can be used to manage and control inbound requests for services
• Advanced UDP/TCP port redirection can be used for service management

You're probably familiar with filtering rules if you've ever used "personal firewall" software. The flexibility (and perhaps complexity) of PF rules typically allow more control over filtering than other firewall software.

Let's look at the other three features.

First, having used a SOHO NAT router, you may be familiar with "port forwarding" to expose services on your local network. This is a subset of the capabilities of PF port redirection rules. In particular, redirection to loopback can provide great flexibilty for virtual server control and management.

As for the last two features, I'm not aware of any SOHO router that can do traffic shaping (bandwidth control by application or network service) or inbound request rate control.

Keep your NAT router for the time being, and begin to learn how to use PF to your advantage. Eventually, you may sell your router and replace it with an OpenBSD platform. I did.

[ai-danno]

Traffic shaping isn't the only feature/capability OpenBSD with PF has that most commercial SOHO routers don't-

- IDS/IPS (Intrusion Detection and Prevention)
- traffic and performance graphing.
- A/V protection
- DNS server with dynamic DNS
- high-grade site-to-site VPN tunnelling and road-warrior capability
- HA (High Availability) with another firewall
- Spam filter (that works!)
- OS is itself secure, so low likelihood of exploitation.
- OS and applications are regularly updated.

Of course, you have to learn how to install, configure, and maintain the applications that provide the aforementioned functionality, but that's some huge potential.

But I believe the choice is not based on feature-comparison, but rather love of the job- you like OpenBSD/PF for various reasons already and know that it would do the same job and more, so why not use it?

[jggimi]

Little of that is PF, however.

[ai-danno]

Very true. I don't want to bait and switch- I guess the idea is that SOHO routers have zero extensibility, while OBSD firewalls are completely extensible beyond a simple PF NAT Firewall.

[JMJ_coder]

Quote:

Originally Posted by BSDfan666

Note; there is no reason to have both... if that's what you were asking, it would be highly redundant.

But, would it affect network performance?

[ai-danno]

Quote:

Originally Posted by JMJ_coder

But, would it affect network performance?

Not at average residential speeds. As a real-world example, here's my current setup-

- L2 unmanaged switch
- ADSL router with NAT (connected to switch and ISP)
- Desktop (connected to switch)
- OBSD box (connected to switch)


The Desktop gets a DHCP address (MAC-controlled) from the OBSD box that points it to the OBSD box for routing. The OBSD box is just a one-armed (single nic) NAT translator. The OBSD box picks up the packets from the Desktop, translates and filters them, then routes them out to the ADSL router, which NATs the packets one more time before routing them on to my ISP.

It's not the most network-efficient setup- but I have seen zero performance problems. I will eventually scale down what the ADSL router does in favor of the OBSD box (read: PPOE, NAT) and re-do the OBSD box with two nics, but for now, it's fine.

The OBSD box also fulfills the following functions with no discernible network latency-

- Cacti graphing
- DNS
- NTP
- IDS (with Snort/BASE)
- web server
- db server

... and will soon take on VPN services and IPS (snort2c). All with no network performance issues at all so far.