From owner-freebsd-stable@FreeBSD.ORG Fri May 23 09:02:28 2014 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BBB13D61 for ; Fri, 23 May 2014 09:02:28 +0000 (UTC) Received: from ziemba.us (osmtp.ziemba.us [208.106.105.149]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 62B17244E for ; Fri, 23 May 2014 09:02:27 +0000 (UTC) Received: from hairball.ziemba.us (localhost.ziemba.us [127.0.0.1]) by hairball.ziemba.us (8.14.6/8.14.6) with ESMTP id s4N90p06011871 for ; Fri, 23 May 2014 02:00:51 -0700 (PDT) (envelope-from pz-freebsd-stable@ziemba.us) Received: (from mailnull@localhost) by hairball.ziemba.us (8.14.6/8.14.6/Submit) id s4N90pXT011870 for freebsd-stable@FreeBSD.org; Fri, 23 May 2014 02:00:51 -0700 (PDT) (envelope-from pz-freebsd-stable@ziemba.us) X-Authentication-Warning: hairball.ziemba.us: mailnull set sender to pz-freebsd-stable@ziemba.us using -f Received: (from news@localhost) by usenet.ziemba.us (8.14.5/8.14.5/Submit) id s4N90of2007406 for treehouse-mail-freebsd-stable@hairball.ziemba.us; Fri, 23 May 2014 02:00:50 -0700 (PDT) (envelope-from news) From: "G. Paul Ziemba" To: freebsd-stable@FreeBSD.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? Date: Fri, 23 May 2014 09:00:50 +0000 (UTC) Message-id: References: <20140520070926.GA92183@The.ie> Reply-to: paul+usenet@w6yx.stanford.edu Errors-to: "G. Paul Ziemba" X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2014 09:02:28 -0000 Lucius.Rizzo@The.ie (Lucius Rizzo) writes: >Ultimately, outside configuration differences all firewalls are essentially >serve the same purpose but I wonder what is your favorite and why? If >you were to run FreeBSD in production, which of the three would you >choose? IPFilter, PF or IPFW? I was a long-time user of ipfilter from its early days in the 1990's on Solaris. I started running it on FreeBSD in September 1999 (FreeBSD 3.2). I switched to pf about seven months ago as I began to need to manage bandwidth for specific classes of traffic (for example, prevent outbound mailing list email from saturating the link and reserve some bandwidth for interactive use). The syntax is very close and the NAT configuration is simpler in pf. Here are some of my reasons for switching: 1. Development activity. There seems to be almost no development of ipfilter for FreeBSD anymore. Beyond the drama last year about whether it would continue to be supported at all in FreeBSD, I'm not sure there is even any development of the base ipfilter now. The project web page (as linked from the FreeBSD Handbook as well as the Wikipedia page) seems to have disappeared. 2. Integrated queue configuration (enabling bandwidth management of selected traffic). This feature is not in ipfilter and is what drove my switch. 3. Integrated macro and subroutine support (the latter are referred to as "anchors"). It simplified my rule files a bit. Also, being able to reload rules at specific anchors simplified handling of my time-based rules. I haven't checked recently, but I believe VIMAGE support for FreeBSD's pf is still missing. There were some development efforts a couple years ago but I never saw the patches get added to the distributed FreeBSD. As a result I am using VirtualBox VMs instead of jails for some of my internet-facing services. -- G. Paul Ziemba FreeBSD unix: 1:56AM up 117 days, 2:55, 24 users, load averages: 1.49, 1.60, 1.60