Home > Blog > FreeBSD, the perfect server (for me)
A project is usually only as good as its technical underpinnings, much like a house of cards. Here’s some, not most, of the reasons why I prefer FreeBSD over Linux for my servers.
In my opinion, documentation is always the key to success. Not many sane people can read man pages or the Arch wiki. FreeBSD’s documentation project alone is a major reason to use the operating system. Everything that’s possible is outlined so clearly I use it as an entrypoint for most Linux questions I have when Google does not supply a quick answer.
While many people like to flaunt that FreeBSD has less CVE’s than Linux, I have to admit that fact is probably due to the fact that it’s not as widely used. Perhaps a form of security through obscurity. Listing who uses it (Apple, Netflix, Sony, Nintendo, Yahoo!, Yandex) does not prove its perceived superiority either, just that it is trusted and perhaps useful.
The reason why these companies use FreeBSD is because it just works. It really does. Security and reliability is achieved through engineered-in excellence in those aspects. One does not inspect quality into a product, it is built in, designed in even. FreeBSD is derived from the BSD of the 70’s and 80’s, meaning it has run real workloads for well over four decades. It has weathered some serious storms, lawsuits and competition, and the fact it not only exists but thrives alongside other Unices and Unix-likes means it has its place. When you see an old item that’s still usable and in use that means the initial concept was good enough. When you see that same item still in production today… It really does speak for itself.
Security also leads into my next point.
If you want the tightest security, go for OpenBSD. Need performance in some more niche usecases, go for DragonFly BSD. Must it run on literally any heap of sand capable of thought, go for NetBSD. Want an it-just-works desktop? There’s choices for you too, GhostBSD, NomadBSD and more are capable of giving an excellent experience.
My point is that there is true diversity. Fedora and Ubuntu will probably garner similar experiences on the desktop, Ubuntu Server and RHEL are both still enterprise Linux servers that to me seemingly only differ in some methodology of management. The BSD universe has succinct varying qualities with practical end uses.
Perhaps the biggest difference to Linux is the license FreeBSD is distributed under. It boils down to the following.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Think that is the boiled down version? It’s the entire license. You can read it here.
It’s much more permissive than most licenses, this has a couple of effects that I will not discuss here but this makes it an excellent choice to build a project that you do not want to release the source code to (like Sony and Nintendo), although it is better to do so (like iX Systems.) This is code that is truly out there to be used for the betterment of mankind.
It’s clear and simple: ZFS, despite its few drawbacks, rules. Proven robust for almost 20 years. More than a filesystem, without going into too much detail, it also manages disks, compression and redundancy and much more. Btrfs, Refs and VxFS are not nearly as good all rounders, while ZFS beats them nearly outright in every area. Hardware RAID is obsolete.
ZFS is a first class citizen on FreeBSD, and fact of the matter is that it’s not that on Linux.
UFS is the default and is battletested since the 80’s. NTFS, ext4, FAT and more are of course also available.
Linux is just the kernel, governed by one man: Linus Torvalds (humorously called Benevolent Dictator for Life.) In my opinion this is actually a good thing for it, Linux’ main “superpower” is the fact it can shift any which way it pleases. It’s why it’s a jack of all trades. If there is demand, it will provide.
FreeBSD is a democratically governed project that spans the entire operating system. Its features scale from the users programs all the way up into the kernel. It prefers technical excellence over quick development or popularity.
I love things that do things well. PF (Packet Filter) is an example of that.
A firewall is a collection of rules that coordinate actions imposed upon network traffic.
Because PF is a filter, it can do the things a firewall does AND more. Like redirecting traffic between containers, configuring specific rules for each ethernet adapter and more. And it’s readable too.
ext_if="vtnet0"
set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"
block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state
This is the base configuration needed for Bastille to work. If you can’t read what this says, I don’t think you should be working with firewalls.
That’s right, you can run almost all Linux programs on FreeBSD, sometimes even faster. The original Matrix movie special effects were created on Linux, but rendered on FreeBSD because it ran the Linux software faster.
Jails are nowadays often described as the original containerization platform. In reality this is a new development as Docker has taken the software world by storm to the point where people will look at you like you’re insane if you don’t use it. A jail is essentially the FreeBSD term for container before the word container was known as a container. More accurately a jail is a collection of namespace changes.
The first and foremost purpose of a container is exactly that, to contain. It’s a safety measure, often appearing to an intruder as the real system whereas they’re actually only digging in a small part. It also separates applications, meaning a rogue program won’t take down the whole system provided the container was well configured. And jails are very easily configured to limit system resources, access to raw sockets and more.
In the real world they are used to very easily deploy/provision fragile applications even though tools like Ansible exist exactly for that task. The benefit of Bastille in this that it does everything well. Out of the box it provides a sane base thin jail, thin meaning it shares the operating systems userspace programs. You can even replace it with a Linux userspace with the drop of a command, to run Linux apps. Even the programs in its filesystem can be “shared” through ZFS deduplication. You can package up entire older insecure FreeBSD systems into jails and protect them from the outside world.
The best thing about Bastille is the templates. There are a lot of templates for webservers, home automation, databases, etc. In other words, you can stack them on top of each other to create these software bundles. In Docker templating is still considered experimental.
Jails are a seemingly endlessly flexible tool.
Because FreeBSD stacks its features from top to bottom, it means it is not an edgecase to combine features in any which way. It is performant, stable, secure and extremely well documented. A mature developmental organization coupled with a track record of quality makes it a competent or even superior alternative to Linux. It might even “feel” nicer to use FreeBSD because of its logical administration.