FreeBSD vs Linux: An SRE's Take
Published on
The Position I'm Arguing From
I run both. Linux runs on workstations, on Kubernetes nodes, in containers, anywhere a hardware vendor only ships drivers for one kernel. FreeBSD runs at the edge of my network, on my homelab router, and on a small fleet of "long uptime, small surface area" boxes. After a while, you stop arguing about which is "better" and start noticing the seams: which kind of work each one absorbs without complaint.
The Init System
Linux gave us systemd, which is genuinely powerful — units, timers, sockets, and
cgroup integration are all useful. It is also a sprawling project with surprising
edges. The first time you write a unit file you feel productive; the fortieth time
you find yourself reading journalctl's manual page to figure out why
a timer ran twice.
FreeBSD's rc.d is the opposite. Each service is a shell script.
service foo start calls /etc/rc.d/foo start, which
sources /etc/rc.subr and runs the steps as written. There's no
message bus, no socket activation, no parallelisation. That's a real cost — boot
is slower, and you don't get cgroup-style resource limits for free. But every
service is a file you can read end to end in two minutes.
For a router with five services, rc.d is plainly easier. For a workstation that starts twelve user-session components in parallel, systemd earns its keep.
Networking
This is where FreeBSD's coherence shines. ifconfig, route,
and netstat have been doing the same things for thirty years. Their
flags don't change between releases. The pf firewall has a configuration syntax
that reads like English, and the same syntax works on OpenBSD if you ever drift
that way.
Linux networking, by contrast, has gone through several generations: ifconfig → ip; iptables → nftables; route → ip route; brctl → ip link. They mostly work, and nftables is a real improvement over iptables — but the documentation lag is chronic, and the ecosystem (Docker, k8s, Cilium, every cloud) layers more abstractions on top.
For a network device — a router, a firewall, a VPN concentrator — FreeBSD's stability is a feature, not a bug. The configuration I learn today will still be valid in five years. (See the pf.conf design article for what that buys you in practice.)
Filesystems
ZFS on FreeBSD is first-class — it's part of base, the installer offers it, and the kernel and userland speak it natively. ZFS on Linux is excellent these days too (OpenZFS shares code with FreeBSD), but the integration is one step less smooth: out-of-tree module, distro-specific packaging, occasional friction with new kernels.
ZFS-native features that change my day-to-day:
- Boot environments.
bectl createbefore any risky change, reboot to recover. - Snapshots and clones. Cheap. Free. Use them.
- zfs send/recv. Replicate a dataset to another host with one command and a pipe.
- Compression and dedup that just works.
compression=zstdon a dataset and forget about it.
For storage-heavy hosts I'll pick FreeBSD purely for the boot environment story. Linux + ZFS gets you most of the same tooling, but the seams show.
Containers and Jails
Linux owns containers. Docker, containerd, Kubernetes, OCI, runc — that ecosystem is huge, well-funded, and where most server software targets first. If your job is to ship containerised services, run them on Linux.
FreeBSD's jails predate Docker by years and have a different shape. A jail is a
partition of the kernel's userspace, not a packaged image. There's no registry,
no jail run nginx:latest, no kubectl. There is a single, well-defined
primitive that's been in the kernel since 2000, and a userland that rarely
surprises you. (See FreeBSD Jails for Network
Services for what that looks like in practice.)
Different problems, different shapes. I run jails on the router and Kubernetes on a Linux cluster, and both teams are happy.
Package Management
FreeBSD's split between pkg (binary packages) and ports
(build from source) is unusual and good. pkg install nginx works
like apt install; cd /usr/ports/www/nginx && make
install rebuilds with whatever options you want. You can mix and match.
Linux package management is more diverse, which is both its strength and its weakness. apt, dnf, pacman, zypper, snap, flatpak, AUR helpers — each ecosystem has its own opinions and its own failure modes. NixOS is a notable outlier (and one I run on Linux servers — see Why I Run NixOS on My Servers), trading the whole package metaphor for a declarative one.
Documentation
The FreeBSD Handbook is a real book. It's edited, cross-referenced, and current.
Combined with thorough man pages, it's often the only resource you need. The
culture of "the manual page is the documentation" is alive there in a way it
mostly isn't on Linux any more, where you're as likely to end up on a vendor blog
as in man systemd.service.
That said, Linux benefits from the largest installed base on the planet. Whatever weird question you have, somebody else has had it and written about it. FreeBSD forces you to build the muscle of reading primary sources first.
Security Posture
Both can be hardened. Both can be made into Swiss cheese. The distinguishing factor is what you get out of the box:
- FreeBSD: a small base system, conservative defaults, jails as a security boundary, signed updates, ZFS for tamper-evident snapshots.
- Linux: AppArmor or SELinux for fine-grained MAC, namespaces and seccomp for container isolation, kernel hardening flags everywhere — and an enormous attack surface in the most popular distributions.
For a network appliance with a small set of services, FreeBSD is easier to keep small. For a heterogeneous fleet running everything from databases to web apps, Linux's tooling around containers and namespaces is hard to beat.
Where I Reach For Each
Some honest defaults from my own infrastructure:
- FreeBSD for: edge router and firewall, NAS and storage appliances, anything where I want a five-year config that doesn't drift.
- Linux (NixOS specifically) for: Kubernetes nodes, GPU hosts, CI runners, anything that needs newer hardware support or vendor-specific kernel modules.
- Either works for: web servers, databases, build hosts, VPN endpoints. Pick the one your team is more comfortable with.
What People Get Wrong
Three myths I keep hearing:
- "FreeBSD is dying." It isn't. It's quietly running Netflix's CDN, WhatsApp's servers (historically), enormous storage arrays, and most of the world's network appliances. Quiet is not dead.
- "Linux is more secure because it gets more eyes." Eyes without intent don't find bugs. Both projects have serious people doing serious work; "more popular" doesn't translate to "better audited" in any measurable way.
- "You have to pick one." You don't. Run both. Use each where it shines.
The Verdict
FreeBSD is a coherent, conservative system that rewards close reading. Linux is a sprawling, opinionated ecosystem that rewards investment in tooling. Both are excellent. The "right" choice depends entirely on what you're building and what you want to ignore.
If you've been Linux-only for a decade, spinning up a FreeBSD VM and walking through the Handbook for an evening will sharpen how you think about Linux, too. The act of seeing a different lineage of Unix-shaped ideas makes the one you already use less invisible.
Further Reading
- Building a FreeBSD pf Router — concrete BSD in action
- pf.conf: Writing Rules That Survive a Power Outage — pf in depth
- FreeBSD Jails for Network Services — jails on a router
- Why I Run NixOS on My Servers — the Linux side of my fleet
Disagree? I'd genuinely like to hear it. The best feedback I get on these posts comes from people who run the other way.
$ subscribe --to newsletter
FreeBSD, pf, and SRE notes — straight to your inbox. No spam, just signal.
Powered by Buttondown. Unsubscribe anytime. Or grab the RSS feed.