From owner-freebsd-current@freebsd.org Fri Nov 27 09:16:39 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9FE294A3059 for ; Fri, 27 Nov 2020 09:16:39 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ultimatedns.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cj8Bv1Lqqz4pTH for ; Fri, 27 Nov 2020 09:16:38 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.16.1/8.16.1) with ESMTP id 0AR9Gbrs040390 for ; Fri, 27 Nov 2020 01:16:43 -0800 (PST) (envelope-from bsd-lists@bsdforge.com) MIME-Version: 1.0 Date: Fri, 27 Nov 2020 01:16:37 -0800 From: Chris To: freebsd-current@freebsd.org Subject: Re: firewall choice In-Reply-To: References: User-Agent: UDNSMS/17.0 Message-ID: <2653d213518332070e63e2c8e6ec7a4f@bsdforge.com> X-Sender: bsd-lists@bsdforge.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Cj8Bv1Lqqz4pTH X-Spamd-Bar: / X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:11404, ipnet:24.113.0.0/16, country:US]; local_wl_ip(0.00)[24.113.41.81] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Nov 2020 09:16:39 -0000 On 2020-11-27 00:29, tech-lists wrote: > Hi, > > What's the "best" [1] choice for firewalling these days, in the list's > opinion? I can't speak for the whole list. ;-) But in my opinion with tables totaling over 150 million IPs. I'm casting a vote for pf(4). It's wildly easy on resources and as fast and flexible as I could ever hope to want. Started using it years ago, and never looked back. :-) > > There's pf, ipf and ipfw. Which is the one being most recently > developed/updated? > I'm used to using pf, have done for over a decade. But OpenBSD's pf has > diverged a > lot more from when it first came across. There seems to be a lot more > options. > Is FreeBSD's pf being actively developed still? Yes. It is actively developed. > > ipfw seems a lot more syntatically complex than pf. Is it more capable also? > I know nothing about ipf yet. > > [1] up-to-date, versatile, low overhead, high throughput, IPv6-able, > traffic shaping/queueing > > thanks, --Chris