From owner-freebsd-questions@FreeBSD.ORG Sat May 3 00:25:14 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BBC761065675 for ; Sat, 3 May 2008 00:25:14 +0000 (UTC) (envelope-from v.velox@vvelox.net) Received: from vulpes.vvelox.net (vulpes.vvelox.NET [74.200.198.26]) by mx1.freebsd.org (Postfix) with ESMTP id 968868FC1A for ; Sat, 3 May 2008 00:25:14 +0000 (UTC) (envelope-from v.velox@vvelox.net) Received: from vixen42 (c-68-51-74-1.hsd1.il.comcast.net [68.51.74.1]) (Authenticated sender: v.velox) by vulpes.vvelox.net (Postfix) with ESMTP id 9CC77B83B; Fri, 2 May 2008 19:08:39 -0500 (CDT) Date: Fri, 2 May 2008 19:11:24 -0500 From: "Zane C.B." To: Bruce Cran Message-ID: <20080502191124.578b7cfe@vixen42> In-Reply-To: <48162A6E.8050607@cran.org.uk> References: <05B6619C-9771-41EA-B43E-05DB40CB3258@lafn.org> <48162A6E.8050607@cran.org.uk> X-Mailer: Claws Mail 3.4.0 (GTK+ 2.12.9; i386-portbld-freebsd6.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions Subject: Re: Firewalls X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 May 2008 00:25:14 -0000 On Mon, 28 Apr 2008 20:50:06 +0100 Bruce Cran wrote: > Doug Hardie wrote: > > FreeBSD supports 3 firewalls: IPF, IPFW, and PF. Some time ago > > (perhaps years) I seem to recall some discussion that one or more > > of those was better maintained and higher quality than the > > others. I don't see any indications of this in the handbook. > > Several years ago I needed to do traffic shaping and used IPFW > > with dummynet. It worked but the need eventually went away. > > More recently I needed to incorporate spamd which defaults to PF > > so I used that. However, now I am back to needing traffic > > shaping again. I suspect trying to use both PF and IPFW > > simultaneously will not be a good approach. In addition, there > > now are instructions for using spamd with IPFW so it appears that > > either PF or IPFW will do what I need. Is there any additional > > information available to assist in selecting between those? > > Thanks. > > As I understand it pf is often found to be easiest to use and has > lots of features like altq and os fingerprinting but is quite a bit > slower than ipfw. There is one thing that IPFW has that PF does not that I have found to be very handy at times. It can be used to setup firewall rules that only affect a specific group or user.