From owner-freebsd-stable@FreeBSD.ORG  Wed May 21 18:38:32 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1CDD26D8
 for <freebsd-stable@freebsd.org>; Wed, 21 May 2014 18:38:32 +0000 (UTC)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca
 [IPv6:2607:f3e0:0:1::12])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id DC3C522EE
 for <freebsd-stable@freebsd.org>; Wed, 21 May 2014 18:38:31 +0000 (UTC)
Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca
 [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a])
 by smarthost1.sentex.ca (8.14.8/8.14.8) with ESMTP id s4LIcR8G020710;
 Wed, 21 May 2014 14:38:27 -0400 (EDT) (envelope-from mike@sentex.net)
Message-ID: <537CF293.5010508@sentex.net>
Date: Wed, 21 May 2014 14:38:11 -0400
From: Mike Tancsa <mike@sentex.net>
Organization: Sentex Communications
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Lucius Rizzo <Lucius.Rizzo@The.ie>, freebsd-stable@freebsd.org
Subject: Re: What is your favourite/best firewall on FreeBSD and why?
References: <20140520070926.GA92183@The.ie>
In-Reply-To: <20140520070926.GA92183@The.ie>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.74
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2014 18:38:32 -0000

On 5/20/2014 3:09 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.

It depends. I will use ipfw or pf depending on the app. But I never use 
ipfilter as there is really no one maintaining it in FreeBSD.  Also, if 
you are using RELENG_10, using pf can better take advantage of multiple 
cores.

For stateful firewalls, pf is the way to go for me.  The rules are easy 
to manage in a simple text configuration file which makes it easier to 
maintain across reboots.  ipfw is good (for me) where speed is 
important, and very few rules are needed.  Also, if you want to do 
traffic shaping, dummynet+ipfw works well. The traffic shaping solutions 
for pf are not so good right now.

	---Mike

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/