# OpenBSD pf to Linux iptables?

## elzbal

I am looking at replacing my OpenBSD firewall with a Linux solution... for a variety of reasons (including the desire to move to SMP hardware). However, I'm not sure that the Linux firewall (iptables) supports some of my favorite features of OpenBSD's pf. A few quick Google searches did not turn up what I was looking for. 

I understand that an iptables firewall will defragment incoming packets by default. Is this true?

My favorite feature of pf is the ability to modulate the inital packet numbers of outgoing packets... this not only helps with a certain class of security issues, but (along with packet defragmentation) also really messes with remote OS detection. Does iptables have this feature?

Is there anything else I might miss (other than the killer syntax of pf configuration)?

----------

## ozonator

 *elzbal wrote:*   

> I understand that an iptables firewall will defragment incoming packets by default. Is this true?

 

As far as I know, neither pf nor iptables defragments by default.  pf, however, makes it easy, with the its traffic normalization options ('scrub').  With iptables, it's certainly possible to do things with fragments, though there seems to be no equivalent to 'scrub'.  It's at least easy to drop fragments, which normally shouldn't cause any problems, especially if path MTU discovery is working for you and you allow 'fragmentation-needed' icmp:

```
iptables -A INPUT -f -j DROP
```

As for reassembly, I don't know of any option in iptables that handles that (tcpmss is about the closest related thing I can think of offhand).  I suspect the kernel may be what handles that in Linux (see, for example, the /proc/sys/net/ipv4/ipfrag* items), but if anyone knows more, I'll be glad to hear about it.

 *elzbal wrote:*   

> My favorite feature of pf is the ability to modulate the inital packet numbers of outgoing packets... this not only helps with a certain class of security issues, but (along with packet defragmentation) also really messes with remote OS detection. Does iptables have this feature?

 

Again, not that I know of.  A linux kernel with the grsecurity patches, however, can randomize initial sequence numbers and packet IDs; in the case of the ISNs, the patch even credits OpenBSD as the source of the method used.  I don't know, however, whether this would apply to packets routed through the machine, i.e., originating from other machines and OSes -- I suspect it should, but have never looked into how it works with routing, NAT, etc.

 *Quote:*   

> Is there anything else I might miss (other than the killer syntax of pf configuration)?

 

Yes, the pf syntax is indeed wonderful, and ultimately a big reason to like pf.  As for differences, pf has both authpf and OS detection built-in; neither are included with iptables.  Also, logging is handled differently (no pflog device in Linux), so if you like using tcpdump for checking logs, you'll miss that.  Otherwise, they seem to have mostly similar capabilities, but sometimes the implementation is different -- some things are in different places, require slightly different approaches, etc. (e.g., tagging and anchors in pf vs. chains in iptables).  Also, some terms have different meanings (notably, 'table').  Beyond that, the best way to get a sense of it (if you haven't already) is to take a look at the iptables docs (the man page is excellent) and some sample scripts, with an eye to seeing how to do what you're accustomed to doing with pf (even the basic filtering).  You'll probably sense quickly what you like and what you miss.

----------

