From owner-freebsd-stable@FreeBSD.ORG Thu May 22 22:50:30 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AD6661FB for ; Thu, 22 May 2014 22:50:30 +0000 (UTC) Received: from smtp2.wemm.org (smtp2.wemm.org [IPv6:2001:470:67:39d::78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp2.wemm.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8930223AE for ; Thu, 22 May 2014 22:50:30 +0000 (UTC) Received: from [192.168.9.59] (ip-64-134-227-154.public.wayport.net [64.134.227.154]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) (Authenticated sender: peter) by smtp2.wemm.org (Postfix) with ESMTPSA id 25843D93 for ; Thu, 22 May 2014 15:50:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org; s=m20140428; t=1400799029; bh=Wbs1CyJwW2a3GazAq+Tvf3W0zzpe9raA5JaMdFFfvQU=; h=Date:From:To:Subject:References:In-Reply-To; b=mSWSTL/LOvgtVvcaydrPO3pUhLWlmCR83yviWot9+UZbrXbUUtgQQO8K/7DWTzoKB KQJNSJSoPPeIUN62x4WTgKkmMOPbTl92pg/U7Qys8hVkzRoLCkmTqq+nmH6FVuwRQA nAhfXqTXsNGACdSM4zjaIzriDe1WH7LQdLPt7h8o= Message-ID: <537E7F2F.1050903@wemm.org> Date: Thu, 22 May 2014 15:50:23 -0700 From: Peter Wemm User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? References: <20140520070926.GA92183@The.ie> <537CF293.5010508@sentex.net> In-Reply-To: <537CF293.5010508@sentex.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2014 22:50:30 -0000 On 5/21/14, 11:38 AM, Mike Tancsa wrote: > On 5/20/2014 3:09 AM, Lucius Rizzo wrote: >> I have been looking into articles comparing firewalls that come with >> FreeBSD. There isn't much recent info on the net. I am currently using >> FreeBSD 10 with IPFilter. > > It depends. I will use ipfw or pf depending on the app. But I never > use ipfilter as there is really no one maintaining it in FreeBSD. > Also, if you are using RELENG_10, using pf can better take advantage > of multiple cores. > > For stateful firewalls, pf is the way to go for me. The rules are > easy to manage in a simple text configuration file which makes it > easier to maintain across reboots. ipfw is good (for me) where speed > is important, and very few rules are needed. Also, if you want to do > traffic shaping, dummynet+ipfw works well. The traffic shaping > solutions for pf are not so good right now. > > ---Mike > For what it's worth, we use FreeBSD-11 pf + carp on the FreeBSD.org clusters. The main reasons: 1) state tracking. We write our rules to try and maximize the state hits and minimize the rule searching. 2) tables and the rule optimizer 3) we use pairs of firewalls so we can do no-interruption upgrades / failovers. pfsync makes this possible. 4) in kernel nat / scrubbing etc. 5) multi-core in 10.x+ 6) atomic updates to rulesets I can't stress the value of having the paired primary/backup firewalls that are in sync. We use them to filter between as many as 15 network segments in some of our clusters. We don't trust vlan to vlan traffic and there's a default-deny configuration for everything. We have 100-300 rules on each site and see anywhere from 30:1 to 500:1 state hits vs rule searches (ie: for every sequential rule lookup, there's as many as 500 hash hits on the state table) The main source of pain we have is that the pf in FreeBSD doesn't do ipv6 fragment processing. We had to work around this because we have public facing DNS servers behind it and they have to deal with ipv6 fragments. -Peter