Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 May 2014 09:00:50 +0000 (UTC)
From:      "G. Paul Ziemba" <pz-freebsd-stable@ziemba.us>
To:        freebsd-stable@FreeBSD.org
Subject:   Re: What is your favourite/best firewall on FreeBSD and why?
Message-ID:  <lln2o2$77d$1@usenet.ziemba.us>
References:  <20140520070926.GA92183@The.ie>

next in thread | previous in thread | raw e-mail | index | archive | help
Lucius.Rizzo@The.ie (Lucius Rizzo) writes:

>Ultimately, outside configuration differences all firewalls are essentially
>serve the same purpose but I wonder what is your favorite and why? If
>you were to run FreeBSD in production, which of the three would you
>choose? IPFilter, PF or IPFW?

I was a long-time user of ipfilter from its early days in the
1990's on Solaris. I started running it on FreeBSD in September 1999
(FreeBSD 3.2).

I switched to pf about seven months ago as I began to need to
manage bandwidth for specific classes of traffic (for example,
prevent outbound mailing list email from saturating the link
and reserve some bandwidth for interactive use).

The syntax is very close and the NAT configuration is simpler in pf.

Here are some of my reasons for switching:

1. Development activity. There seems to be almost no development
   of ipfilter for FreeBSD anymore. Beyond the drama last year
   about whether it would continue to be supported at all in FreeBSD,
   I'm not sure there is even any development of the base ipfilter
   now. The project web page (as linked from the FreeBSD Handbook
   as well as the Wikipedia page) seems to have disappeared.

2. Integrated queue configuration (enabling bandwidth management
   of selected traffic). This feature is not in ipfilter and
   is what drove my switch.

3. Integrated macro and subroutine support (the latter are
   referred to as "anchors"). It simplified my rule files a
   bit. Also, being able to reload rules at specific anchors
   simplified handling of my time-based rules.

I haven't checked recently, but I believe VIMAGE support for
FreeBSD's pf is still missing. There were some development
efforts a couple years ago but I never saw the patches get
added to the distributed FreeBSD. As a result I am using
VirtualBox VMs instead of jails for some of my internet-facing
services.
-- 
G. Paul Ziemba
FreeBSD unix:
 1:56AM  up 117 days,  2:55, 24 users, load averages: 1.49, 1.60, 1.60



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?lln2o2$77d$1>