BSD Family Guide — FreeBSD, OpenBSD & NetBSD

The BSD operating system family — FreeBSD, OpenBSD, and NetBSD — represents the oldest continuously developed branch of Unix, offering a complete, integrated base system where the kernel, userland, and package manager are developed together as a single curated distribution.

What You’ll Learn & Why It Matters

In this tutorial, you’ll learn what makes BSD different from Linux, how FreeBSD delivers server-class reliability with ZFS, how OpenBSD sets the security standard with pf and pledge, how NetBSD runs on everything from routers to mainframes, and when to choose BSD over Linux for your infrastructure.

Real-world use: Netflix uses FreeBSD to power its Open Connect CDN appliances that serve streaming video to millions of users, OpenBSD runs the core firewalls at some of the world’s strictest security environments (banks, military), and NetBSD controls NASA robotics — all because each BSD variant excels at its specific niche.

The BSD Family Tree

BSD (Berkeley Software Distribution) began in 1977 at UC Berkeley as a set of enhancements to AT&T Unix. After legal battles in the early 1990s, the non-AT&T code was released as 386BSD, which forked into the three main modern variants.

graph LR
    UNIX["AT&T Unix (1970s)"] --> BSD["Berkeley BSD (1977)"]
    BSD --> 386BSD["386BSD (1992)"]
    386BSD --> FREEBSD["FreeBSD (1993)
Performance, ZFS,
servers, networking"]
    386BSD --> NETBSD["NetBSD (1993)
Portability, embedded,
legacy hardware"]
    NETBSD --> OPENBSD["OpenBSD (1995)
Security, pf firewall,
correctness"]
    
    style FREEBSD fill:#1565C0,color:#fff
    style NETBSD fill:#FF9800,color:#fff
    style OPENBSD fill:#4CAF50,color:#fff

What Makes BSD Different from Linux?

This is the most common question. The answer goes deep into design philosophy:

Think of it this way: Linux is a kernel that distributions bundle with software from hundreds of sources. BSD is a complete operating system designed as a coherent whole. When you install FreeBSD, you get FreeBSD’s init, FreeBSD’s libc, FreeBSD’s compiler tools — all tested together, all released simultaneously.

FreeBSD: The Server Powerhouse

FreeBSD is the most popular member of the BSD family, known for exceptional networking performance, ZFS integration, and stability.

FreeBSD’s ZFS Implementation

ZFS (Zettabyte File System) was developed by Sun Microsystems and ported to FreeBSD as a first-class citizen. It’s arguably the most advanced file system available in open source:

Creating a ZFS Pool

# Create a mirrored ZFS pool from two disks
zpool create -f tank mirror /dev/ada0 /dev/ada1

# Check pool status
zpool status tank

Expected output:

  pool: tank
 state: ONLINE
  scan: none requested
config:

        NAME        STATE     READ WRITE CKSUM
        tank        ONLINE       0     0     0
          mirror-0  ONLINE       0     0     0
            ada0    ONLINE       0     0     0
            ada1    ONLINE       0     0     0

errors: No known data errors

FreeBSD Networking Performance

FreeBSD’s network stack is legendary. The netmap framework and sendfile(2) system call allow it to saturate 40Gbps and 100Gbps links with minimal CPU overhead. This is why Netflix’s CDN, Yahoo’s storage infrastructure, and many gaming servers run FreeBSD.

# Check network interfaces
ifconfig

# View routing table
netstat -rn

# Monitor live traffic with bmon (install via pkg)
pkg install bmon
bmon -p em0

FreeBSD Jails: Lightweight Virtualization

Jails are FreeBSD’s container technology, predating Docker containers by nearly a decade. Each jail has its own IP address, file system view, and process tree, but shares the host kernel.

# Create a basic jail
echo 'jail_myjail_enable="YES"' >> /etc/rc.conf
echo 'jail_myjail_ip="192.168.1.100"' >> /etc/rc.conf
echo 'jail_myjail_rootdir="/usr/local/jails/myjail"' >> /etc/rc.conf

# Start the jail
service jail start myjail

# Enter the jail
jexec myjail /bin/sh

OpenBSD: Security by Default

OpenBSD forked from NetBSD in 1995 with a single goal: be the most secure operating system in the world. It has achieved that through a rigorous code audit culture and groundbreaking security features.

The OpenBSD Philosophy

The OpenBSD team audited every line of the codebase (76,000+ commits over 25+ years), finding and fixing bugs that had existed for decades in BSD code. Their motto: “No code is above scrutiny.”

Key security innovations that originated in OpenBSD and were adopted by other OSes:

• strlcat() and strlcpy() — safer string functions (prevent buffer overflows)
• arc4random() — cryptographically secure random numbers
• Privilege separation — each component runs with minimal permissions
• W^X — memory pages are either writable or executable, never both

The pf Firewall

OpenBSD’s pf (packet filter) is widely considered the most elegant and powerful firewall in existence. It was ported to FreeBSD, NetBSD, and macOS.

# /etc/pf.conf — A basic pf configuration
# Block everything by default
block in all
pass out all keep state

# Allow SSH from specific IP only
pass in proto tcp to port 22 from 192.168.1.0/24

# Allow web traffic
pass in proto tcp to port 80
pass in proto tcp to port 443

# Rate-limit ICMP (ping flood protection)
pass in proto icmp all icmp-type 8 keep state \
    (max-src-conn-rate 100/10, overload <bad_hosts> flush global)

Apply it: pfctl -f /etc/pf.conf

pledge() and unveil()

OpenBSD introduced two system calls that drastically reduce the damage a compromised program can do:

• pledge — a program promises to only use specific system calls. If it tries anything else, the kernel kills it.
• unveil — a program reveals only specific file system paths. Everything else is invisible.

// Example: restrict a program to only read files and use stdio
#include <unistd.h>

int main() {
    // Promise: only use stdio and file reading
    pledge("stdio rpath", NULL);
    
    // Only allow reading /etc and /var/log
    unveil("/etc", "r");
    unveil("/var/log", "r");
    unveil(NULL, NULL);  // Lock the veil
    
    // Now this program cannot do anything else
    // even if compromised
    return 0;
}

OpenBSD’s Proactive Security

OpenBSD finds and fixes vulnerabilities through continuous auditing:

NetBSD: Runs on Anything

NetBSD’s slogan is “Of course it runs NetBSD.” It has been ported to more hardware platforms than any other operating system — 57+ architectures including:

• Desktop: x86, x86_64, ARM, PowerPC
• Embedded: MIPS, ARM, SH4, m68k
• Retro: VAX, Amiga, Atari, Macintosh 68k
• Mainframe: Dreamcast? Yes, Sega Dreamcast runs NetBSD

The pkgsrc Package System

NetBSD’s pkgsrc (package source) is a cross-platform package management framework that also runs on Linux, macOS, and Illumos. It’s designed for maximum portability.

# Install a package from source
cd /usr/pkgsrc/www/nginx
make install clean

# Or use binary packages
pkg_add nginx

NetBSD on a Raspberry Pi

# Install NetBSD on a Raspberry Pi 4
# (assumes NetBSD/evbarm-aarch64 installed)

# Check CPU info
sysctl hw.model

# Enable SMP (multi-core)
sysctl -w hw.ncpu=4

# Check available memory
vmstat -s | grep "pages managed"

Practical BSD Usage: A Comparison

Common Errors & Mistakes

1. Treating BSD Like Linux

Mistake: Running apt-get install on FreeBSD and wondering why it fails.

Fix: BSD uses different package managers: pkg (FreeBSD), pkg_add (OpenBSD), and pkgsrc (NetBSD). Configuration files live in /etc like Linux, but the format often differs — /etc/rc.conf vs /etc/default/grub, for example. Read the BSD handbook before copying Linux commands.

2. Not Understanding What “Base System” Means

Mistake: Trying to remove or replace BSD components (like the built-in ftp client) with GNU versions “because they’re better.”

Fix: BSD’s base system is a single curated release. Replacing components with external versions can create dependencies and security issues. If you need GNU tools, install them via packages (e.g., pkg install coreutils) — they’ll coexist with the base system.

3. Forgetting pf Enable Rules

Mistake: Editing /etc/pf.conf but not applying the changes, then wondering why the old rules are still active.

Fix: Every time you edit pf.conf, run pfctl -f /etc/pf.conf to load the new rules. Use pfctl -s rules to verify the active ruleset. Add pf_enable="YES" to /etc/rc.conf to ensure pf starts at boot.

4. Ignoring ZFS ARC Memory Usage

Mistake: Installing FreeBSD with ZFS on a machine with limited RAM (e.g., 4GB) and wondering why the system is slow.

Fix: ZFS uses the Adaptive Replacement Cache (ARC) to cache disk data in RAM. By default, it can use up to 50% of available RAM. On memory-constrained systems, limit it: add vfs.zfs.arc_max=1g to /boot/loader.conf to cap ARC at 1GB.

5. Assuming All BSDs Are the Same

Mistake: Writing a script on FreeBSD and expecting it to run unchanged on OpenBSD.

Fix: While BSDs share a common heritage, their userland tools diverge. OpenBSD uses doas instead of sudo. FreeBSD uses pkg, OpenBSD uses pkg_add. Network configuration commands differ. Test scripts on each target OS.

Practice Questions

Question 1

What is the fundamental difference between BSD and Linux in terms of OS architecture?

Question 2

What makes ZFS different from traditional file systems like ext4?

Question 3

What is OpenBSD’s pf firewall, and what is its origin?

Question 4

What does pledge() do in OpenBSD?

Question 5

When would you choose NetBSD over FreeBSD or OpenBSD?

Challenge

Set up a FreeBSD jail that runs a simple HTTP server serving static files. The jail should:

1. Be created with its own loopback IP (127.0.1.1)
2. Have only the base system (no extra packages)
3. Run a minimal HTTP server (write one in C or use the built-in nc)
4. Be accessible from the host via the loopback IP
5. Log all access to a file on the host
6. Include a script to start/stop the jail and verify it’s running

Real-World Task

Your startup needs to deploy a web application that handles sensitive financial data. You’ve chosen OpenBSD for its security track record. Design the security architecture:

1. Set up pf rules to allow only HTTPS (443) and SSH (from your office IP range)
2. Configure doas (OpenBSD’s sudo replacement) with minimal permissions
3. Set up httpd (OpenBSD’s built-in web server) in a chroot
4. Enable daily security scanning with security(8) scripts
5. Configure syslog to forward to a remote log server
6. Write a procedure for applying binary security patches (OpenBSD releases patches twice a year)

Mini Project: Cross-Platform System Information Script

Write a shell script that works on FreeBSD, OpenBSD, and NetBSD to display system information:

#!/bin/sh
# bsd-info.sh — Works on FreeBSD, OpenBSD, NetBSD

echo "=== BSD System Information ==="
echo "OS: $(uname -s) $(uname -r)"
echo "Architecture: $(uname -m)"
echo "Hostname: $(hostname)"
echo "Uptime: $(uptime | sed 's/.*up //' | sed 's/,.*//')"

# Memory — different commands per BSD
if [ "$(uname -s)" = "FreeBSD" ]; then
    echo "Memory: $(sysctl -n hw.physmem | awk '{printf "%.0f MB\n", $1/1024/1024}')"
elif [ "$(uname -s)" = "OpenBSD" ]; then
    echo "Memory: $(sysctl -n hw.physmem | awk '{printf "%.0f MB\n", $1/1024/1024}')"
elif [ "$(uname -s)" = "NetBSD" ]; then
    echo "Memory: $(sysctl -n hw.physmem64 | awk '{printf "%.0f MB\n", $1/1024/1024}')"
fi

# Disk usage
echo ""
echo "=== Disk Usage ==="
df -h / | tail -1 | awk '{print $1": "$3" used / "$2" total ("$5" full)"}'

# Running processes
echo ""
echo "=== Top 5 Processes by CPU ==="
ps aux | sort -k3 -r | head -6

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.