Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Comparing UFW to pf is apples and oranges.

Using a more apples to apples comparison, pf is way simpler than iptables.

By bringing up UFW which is an iptables wrapper, you're not looking for a pf alternative so much as a pf wrapper. But it was the complexity of iptables that drove development of wrappers like UFW in the first place - pf doesn't really have the same level of need that iptables did.

Personally having used iptables and ipfilter I always thought pf was pretty simple.



> By bringing up UFW which is an iptables wrapper, you're not looking for a pf alternative so much as a pf wrapper. But it was the complexity of iptables that drove development of wrappers like UFW in the first place - pf doesn't really have the same level of need that iptables did.

I fully understand that Pf is equivalent to iptables, and is a lower level abstraction than UFW. But the question stands; Is there a simple foolproof utility for blocking ports on BSD with a single command? I just don't feel like whitelisting port 80 should require authoring a config file.


>Is there a simple foolproof utility for blocking ports on BSD with a single command?

Yes. It is called pf.

    block in  on fxp0  proto tcp  to any  port { 25 80 }
... blocks incoming email and http connections on the fxp0 interface. That is all you need to put in pf.conf to do that.


I recommend using `egress` in a simple setup like that, it'll still work if you ever change your network device.

    block in on egress proto tcp to port { 25, 80 }


I agree. The syntax is very readable and easy to understand. With consumer firewalls being pwned all the time, OpenBSD with PF could be a good option for some people.


I’m going to have to get it set up again... ahh the simplicity and robustness of OpenBSD...


yes, you can, the command is called 'vi' :)

    block all
    pass proto tcp to port www




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: