Date: Thu, 22 May 2014 15:50:23 -0700 From: Peter Wemm <peter@wemm.org> To: freebsd-stable@freebsd.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? Message-ID: <537E7F2F.1050903@wemm.org> In-Reply-To: <537CF293.5010508@sentex.net> References: <20140520070926.GA92183@The.ie> <537CF293.5010508@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/21/14, 11:38 AM, Mike Tancsa wrote: > On 5/20/2014 3:09 AM, Lucius Rizzo wrote: >> I have been looking into articles comparing firewalls that come with >> FreeBSD. There isn't much recent info on the net. I am currently using >> FreeBSD 10 with IPFilter. > > It depends. I will use ipfw or pf depending on the app. But I never > use ipfilter as there is really no one maintaining it in FreeBSD. > Also, if you are using RELENG_10, using pf can better take advantage > of multiple cores. > > For stateful firewalls, pf is the way to go for me. The rules are > easy to manage in a simple text configuration file which makes it > easier to maintain across reboots. ipfw is good (for me) where speed > is important, and very few rules are needed. Also, if you want to do > traffic shaping, dummynet+ipfw works well. The traffic shaping > solutions for pf are not so good right now. > > ---Mike > For what it's worth, we use FreeBSD-11 pf + carp on the FreeBSD.org clusters. The main reasons: 1) state tracking. We write our rules to try and maximize the state hits and minimize the rule searching. 2) tables and the rule optimizer 3) we use pairs of firewalls so we can do no-interruption upgrades / failovers. pfsync makes this possible. 4) in kernel nat / scrubbing etc. 5) multi-core in 10.x+ 6) atomic updates to rulesets I can't stress the value of having the paired primary/backup firewalls that are in sync. We use them to filter between as many as 15 network segments in some of our clusters. We don't trust vlan to vlan traffic and there's a default-deny configuration for everything. We have 100-300 rules on each site and see anywhere from 30:1 to 500:1 state hits vs rule searches (ie: for every sequential rule lookup, there's as many as 500 hash hits on the state table) The main source of pain we have is that the pf in FreeBSD doesn't do ipv6 fragment processing. We had to work around this because we have public facing DNS servers behind it and they have to deal with ipv6 fragments. -Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?537E7F2F.1050903>