Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 24 May 2014 12:12:20 -0700
From:      Darren Pilgrim <list_freebsd@bluerosetech.com>
To:        Lucius Rizzo <Lucius.Rizzo@The.ie>, freebsd-stable@freebsd.org
Subject:   Re: What is your favourite/best firewall on FreeBSD and why?
Message-ID:  <5380EF14.60202@bluerosetech.com>
In-Reply-To: <20140520070926.GA92183@The.ie>
References:  <20140520070926.GA92183@The.ie>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 5/20/2014 12:09 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.
>
> Firewalls are like MTA servers I find. Each person has their own
> proclivities. I happened to have started with IPFilter with Solaris and
> throughout Solaris years. Lately, on my Linux servers, I end up running
> ufw as lazy man's iptables cli frontend which is easy enough.
>
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?

I use ipfw on servers and end devices when I need a mitigation-oriented 
firewall.  It makes simple work of putting up notch filters, but its 
syntax gets a bit ugly if you're doing up a router configuration.

I build routers from pf on OpenBSD and Intel hardware.  $1k of PC and I 
can shove gigabits through full BGP tables and big sets of ACLs all day 
long.  Something comparable from Cisco would have a five- or six-digit 
price tag and leave you unsatisfied.  For lighter workloads, Ubiquiti's 
EdgeRouter family is lovely and it gets you the benefit of a well-known 
interface if you're handing off the admin hat.  I abandon FreeBSD in 
this use case--ipfw syntax isn't clean enough and pf's IPv6 support is 
broken.

I haven't touched ipf in over a decade and don't miss it at all.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5380EF14.60202>