From owner-freebsd-questions@FreeBSD.ORG  Fri Feb  5 23:31:39 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2ED391065676
	for <freebsd-questions@freebsd.org>;
	Fri,  5 Feb 2010 23:31:39 +0000 (UTC)
	(envelope-from aiza21@comclark.com)
Received: from avmxsmtp3.comclark.com (avmxsmtp3.comclark.com [202.69.191.117])
	by mx1.freebsd.org (Postfix) with ESMTP id 77BA88FC12
	for <freebsd-questions@freebsd.org>;
	Fri,  5 Feb 2010 23:31:38 +0000 (UTC)
Received: (qmail 7428 invoked by uid 89); 5 Feb 2010 22:46:47 -0000
Received: by simscan 1.3.1 ppid: 7422, pid: 7423, t: 0.0445s
	scanners: attach: 1.3.1 clamav: 0.91.2/m:
Received: from unknown (HELO ?10.0.10.3?) (202.69.173.143)
	by avmxsmtp3.comclark.com with SMTP; 5 Feb 2010 22:46:47 -0000
Message-ID: <4B6CA417.90904@comclark.com>
Date: Sat, 06 Feb 2010 07:04:55 +0800
From: Aiza <aiza21@comclark.com>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: Iv Ray <pobox@verysmall.org>
References: <B319E507-F26F-457E-937B-1408FB41132E@verysmall.org>
In-Reply-To: <B319E507-F26F-457E-937B-1408FB41132E@verysmall.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: best firewall for a web server
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2010 23:31:39 -0000

Iv Ray wrote:
> We will be running a web server -
> 
> - FreeBSD 8.x
> - Apache 2.x
> - php 5.x
> - PostgreSQL 8.x
> - Postfix 2.x
> 
> - The server will run nearly 98% of the time below 25% load (no high performance firewall is needed).
> - Access to the server will be done only via ssh w/ key (there will be no public ftp, etc.).
> 
> I read several threads on FreeBSD Questions and checked the Handbook, and my conclusion is that PF seems the most straightforward for such "classic" situation.
> 
> Am I right?
> 
> Thanks,
> Iv_______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
> 
> 
I would use ipfilter. Its rules are the same as PF but its log is easier 
to read.