Date: Fri, 05 Jan 2007 08:37:03 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Atom Powers <atom.powers@gmail.com> Cc: Brett Davidson <brett@net24.co.nz>, questions@freebsd.org Subject: Re: Advice on which FreeBSD firewall package to choose. Message-ID: <459E0E2F.8010505@infracaninophile.co.uk> In-Reply-To: <df9ac37c0701041637i7c521a92g29732caaa4f3f078@mail.gmail.com> References: <60224D09909C0B43A50935A0893D8FF31DA2DC@srv.exchange.net24.net.nz> <459D76E6.2030904@mikestammer.com> <df9ac37c0701041637i7c521a92g29732caaa4f3f078@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig805E4DDF272810F4D213A78B
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Atom Powers wrote:
> On 1/4/07, Eric <heli@mikestammer.com> wrote:
>> Brett Davidson wrote:
>> > Before I start, I'm familiar with IPTables from Linux but am wanting=
to
>> > use FreeBSD as a firewalling router after seeing it in action on a
>> > heavily-loaded webserver. I like the efficiency of the TCP stack.
>> >
>> > Upon reading the handbook I found that I can have my choice of three=
>> > firewalls; pf, iptables and ipfw.
>> >
> ...
>> >
>> > Against prudence, they wish to allow torrent connections to the insi=
de
>> > lan and ICQ connections to both the Inside LAN and the Wireless DMZ.=
>> The
>> > torrent and ICQ connections will need to be bandwidth-managed so
>> that is
>> > a major consideration for the choice of which firewall to use. Is th=
ere
>> > an equivalent to HTB on FreeBSD?
>> >
>> >
>> i believe pf is the most modern and cleanest/easiest syntax to use. it=
>> is actively developed and lots of people use it. You can set up priori=
ty
>> on bandwidth in pf as well, so it should meet all your requirements
>> nicely.
>=20
> pf will also do the bandwidth management you want. I've used ipfw,
> ipf, iptables, and pf; pf is by far the most powerful and easy to use.
>=20
I also heartily endorse the use of pf. However be aware that if you
want to use the QoS and other bandwidth management features you will
need to compile yourself a custom kernel with the appropriate ALTQ
stuff turned on. Unfortunately ALTQ is not currently available as a
loadable module. Compiling a new kernel is not particularly difficult
though.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig805E4DDF272810F4D213A78B
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.1 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFng418Mjk52CukIwRCM1/AJ9Go1MQM08cWrEktuv09YMsXXmnDwCgh1Rf
0+ivyQvFwgYdCF0A4StQkQM=
=lGJ3
-----END PGP SIGNATURE-----
--------------enig805E4DDF272810F4D213A78B--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?459E0E2F.8010505>