From owner-freebsd-questions@FreeBSD.ORG Sat May 3 01:01:52 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D325E1065671 for ; Sat, 3 May 2008 01:01:52 +0000 (UTC) (envelope-from LukeD@pobox.com) Received: from sasl.smtp.pobox.com (a-sasl-fastnet.sasl.smtp.pobox.com [207.106.133.19]) by mx1.freebsd.org (Postfix) with ESMTP id 9CB0E8FC1C for ; Sat, 3 May 2008 01:01:52 +0000 (UTC) (envelope-from LukeD@pobox.com) Received: from localhost.localdomain (localhost [127.0.0.1]) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTP id 41D932C59; Fri, 2 May 2008 21:01:51 -0400 (EDT) Received: from lukas.is-a-geek.org (pool-71-113-78-181.sttlwa.dsl-w.verizon.net [71.113.78.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTP id 298FD2C58; Fri, 2 May 2008 21:01:47 -0400 (EDT) Date: Fri, 2 May 2008 18:01:41 -0700 (PDT) From: Luke Dean X-X-Sender: lukas@border.lukas.is-a-geek.org To: "Zane C.B." In-Reply-To: <20080502191124.578b7cfe@vixen42> Message-ID: <20080502175312.O21313@border.lukas.is-a-geek.org> References: <05B6619C-9771-41EA-B43E-05DB40CB3258@lafn.org> <48162A6E.8050607@cran.org.uk> <20080502191124.578b7cfe@vixen42> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Pobox-Relay-ID: 839DBB98-18AC-11DD-8FA7-80001473D85F-96347044!a-sasl-fastnet.pobox.com Cc: Bruce Cran , freebsd-questions Subject: Re: Firewalls X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Luke Dean List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 May 2008 01:01:52 -0000 On Fri, 2 May 2008, Zane C.B. wrote: > On Mon, 28 Apr 2008 20:50:06 +0100 > Bruce Cran wrote: > >> Doug Hardie wrote: >>> FreeBSD supports 3 firewalls: IPF, IPFW, and PF. Some time ago >>> (perhaps years) I seem to recall some discussion that one or more >>> of those was better maintained and higher quality than the >>> others. I don't see any indications of this in the handbook. >>> Several years ago I needed to do traffic shaping and used IPFW >>> with dummynet. It worked but the need eventually went away. >>> More recently I needed to incorporate spamd which defaults to PF >>> so I used that. However, now I am back to needing traffic >>> shaping again. I suspect trying to use both PF and IPFW >>> simultaneously will not be a good approach. In addition, there >>> now are instructions for using spamd with IPFW so it appears that >>> either PF or IPFW will do what I need. Is there any additional >>> information available to assist in selecting between those? >>> Thanks. >> >> As I understand it pf is often found to be easiest to use and has >> lots of features like altq and os fingerprinting but is quite a bit >> slower than ipfw. > > There is one thing that IPFW has that PF does not that I have found > to be very handy at times. It can be used to setup firewall rules > that only affect a specific group or user. PF can do this too. There were threading/locking/crashing issues when last I tried to use that feature of PF back in FreeBSD 5.x, but that was a very long time ago.