From owner-freebsd-stable@FreeBSD.ORG Wed May 21 09:20:17 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8A5EC3D8 for ; Wed, 21 May 2014 09:20:17 +0000 (UTC) Received: from mail-pa0-x22e.google.com (mail-pa0-x22e.google.com [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5E8D62294 for ; Wed, 21 May 2014 09:20:17 +0000 (UTC) Received: by mail-pa0-f46.google.com with SMTP id kq14so1234107pab.33 for ; Wed, 21 May 2014 02:20:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=btbwFJiRkC/G7nJ/TdO3XQCn9VucJy4Ws8YA4SAXVkM=; b=Pwxh6kUtG2O9ov1Vf8eYsnJJH5HJknaZaCSU9+V5tvhevqqrz+1MqNVccp0bYceiBT WbUEVbLKC6Riksa5UpHSvfsO38Aar62E8VaL9q86mx1OK7xPMSo2u8UlkGZa0pgppFxX BpA6zibzAn8gXxel3kqsDgvS+2er2047A0QM3tEZUQUBkEm9tGpng4yp+xeDnnvyjyjk VwMtmlluDnxmDai+sQ53oAqiE0Icg51grG7OFkUO0z3cJJDiiip1IqY2DLL87+34FJTO h1EgJswS4IYWn38tOK2FrocqFkRlV3+Dv0HQ0hHcX2+2l0c3mVzoosCNwNC74qDv8UxL ZNug== X-Received: by 10.68.213.34 with SMTP id np2mr5379822pbc.167.1400664016980; Wed, 21 May 2014 02:20:16 -0700 (PDT) Received: from kmatoMacBook-Pro.local ([27.24.140.240]) by mx.google.com with ESMTPSA id id10sm7132651pbc.35.2014.05.21.02.20.14 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 21 May 2014 02:20:16 -0700 (PDT) Message-ID: <537C6FCB.8060600@gmail.com> Date: Wed, 21 May 2014 17:20:11 +0800 From: k simon User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? References: <20140520070926.GA92183@The.ie> <4341ADF1-E684-4531-8DD0-10107E097D68@punkt.de> <537C654B.1010205@gmail.com> In-Reply-To: <537C654B.1010205@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2014 09:20:17 -0000 于 14-5-21 16:35, Rolf Nielsen 写道: > IPFW for me too. IPFW +1. Though it does not support nat pool until now:), and I never used it for "keep-states". PF is easy used, but it is hard to master for me. It's check packet sequnce too strict and prevnt reuse src port in extreme load if you does not be expert in adjust the timeouts. But pf's "scrub" and "reply-to" is amazing, and syntax is easy to understand. Pfsync+pfflowd is a good idea to implement netflow/ipfix probe. I think it's have low overhead and better performance than ng_netflow because you can install a pfflowd instance on a different box. But pfflowd is outdated since FB 9 released. Regards Simon