Date: Sat, 24 May 2014 02:12:20 -0400 From: Charles Sprickman <spork@bway.net> To: Peter Wemm <peter@wemm.org> Cc: freebsd-stable@freebsd.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? Message-ID: <542A7016-FEE2-418C-B1F1-2227378BB4C8@bway.net> In-Reply-To: <537FB96D.1040503@wemm.org> References: <20140520070926.GA92183@The.ie> <lln2o2$77d$1@usenet.ziemba.us> <FE050654-7AE7-4E5D-B191-9A620B9D61AD@tao.org.uk> <537FB96D.1040503@wemm.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 23, 2014, at 5:11 PM, Peter Wemm <peter@wemm.org> wrote: > On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote: >> On 23 May 2014, at 10:00, G. Paul Ziemba = <pz-freebsd-stable@ziemba.us> wrote: >>=20 >>> Lucius.Rizzo@The.ie (Lucius Rizzo) writes: >>>=20 >>>> Ultimately, outside configuration differences all firewalls are = essentially >>>> serve the same purpose but I wonder what is your favorite and why? = If >>>> you were to run FreeBSD in production, which of the three would you >>>> choose? IPFilter, PF or IPFW? >>> I switched to pf about seven months ago as I began to need to >>> manage bandwidth for specific classes of traffic (for example, >>> prevent outbound mailing list email from saturating the link >>> and reserve some bandwidth for interactive use). >>>=20 >>> The syntax is very close and the NAT configuration is simpler in pf. >> Does the pfsync handle NAT tables. >> Could I use it to build a resilient carrier grade NAT solution? >>=20 >=20 > Yes, pfsync includes NAT. While we don't use NAT in the freebsd.org = cluster, we do use it on certain ipv6+rfc1918 machines and it does = handle failover / recovery transparently. We use it with carp. >=20 > Be aware that things can get a little twitchy if your switches have an = extended link-up periods. Our Juniper EX switches and ethernet = interfaces have a significant delay between 'ifconfig up' and link = established. This required some tweaks on the freebsd.org cluster but = nothing unmanageable. We probably should boot them into a hold-down = state while things stabilize and but we've taken the quick way out = rather than doing it the ideal way. Off-topic, but it sounds like you need the Juniper equivalent of the = Cisco =93spanning-tree portfast=94 command on your switch interfaces = that connect to end hosts. The pause you see is part of STP where the = switch port sits in learning mode from 5 to 30 seconds before going to = forwarding mode. This is important for inter-switch links, but not at = all needed when you know a port is only going to have a host plugged = into it. Charles >=20 > -Peter >=20 > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?542A7016-FEE2-418C-B1F1-2227378BB4C8>