What's wrong with using any BSD? Can't people use whatever suits their needs?

yuvadam · 2025-11-24T19:10:58 1764011458

Of course, I'm genuinely curious why BSDs are more popular as firewalls.

nesarkvechnep · 2025-11-24T19:57:35 1764014255

Because of pf[1]. It's just a very capable firewall with a pleasurable configuration language.

Twirrim · 2025-11-24T21:21:14 1764019274

Agreed, `pf` is a delight to use.

Borrowing a demonstration from https://srobb.net/pf.html

    tcp_pass = "{ 22 25 80 110 123 }"
    udp_pass = "{ 110 631 }"
    block all
    pass out on fxp0 proto tcp to any port $tcp_pass keep state
    pass out on fxp0 proto udp to any port $udp_pass keep state

Note last rule matching wins, so you put your catch-all at the top, "block all". Then in this case fxp0 is the network interface. So they're defining where traffic can go to from the machine in question, in this case any source as long as it's to port 22, 25, 80, 110, or 123 for TCP, and either 110 or 631, for UDP.

<action> <direction> on <interface> proto <protocol> to <destination> port <port> <state instructions>

throw0101c · 2025-11-25T13:46:56 1764078416

One can further parametrize things with, e.g.,

    int_if = "fxp0"

The BSDs still tend to use device-specific names versus the generic ethX or location-specific ensNN, so if you have multiple interfaces knowing about internal and external may help the next person who sees your code to grok it.

mono442 · 2025-11-25T21:11:11 1764105071

doing the same thing with nftables is not really complicated either

petee · 2025-11-24T23:26:42 1764026802

The documentation on BSDs, and in particular OpenBSD, are generally high quality