From owner-freebsd-questions@FreeBSD.ORG Fri Jan 5 08:37:32 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 69FEB16A403 for ; Fri, 5 Jan 2007 08:37:32 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.freebsd.org (Postfix) with ESMTP id BFB9613C442 for ; Fri, 5 Jan 2007 08:37:31 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [IPv6:::1] (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.8/8.13.8) with ESMTP id l058bAON022838; Fri, 5 Jan 2007 08:37:10 GMT (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <459E0E2F.8010505@infracaninophile.co.uk> Date: Fri, 05 Jan 2007 08:37:03 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 1.5.0.9 (X11/20061223) MIME-Version: 1.0 To: Atom Powers References: <60224D09909C0B43A50935A0893D8FF31DA2DC@srv.exchange.net24.net.nz> <459D76E6.2030904@mikestammer.com> In-Reply-To: X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig805E4DDF272810F4D213A78B" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Fri, 05 Jan 2007 08:37:26 +0000 (GMT) X-Virus-Scanned: ClamAV 0.88.7/2414/Fri Jan 5 01:41:51 2007 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00, DKIM_POLICY_TESTING,NO_RELAYS autolearn=ham version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on happy-idiot-talk.infracaninophile.co.uk Cc: Brett Davidson , questions@freebsd.org Subject: Re: Advice on which FreeBSD firewall package to choose. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2007 08:37:32 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig805E4DDF272810F4D213A78B Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Atom Powers wrote: > On 1/4/07, Eric wrote: >> Brett Davidson wrote: >> > Before I start, I'm familiar with IPTables from Linux but am wanting= to >> > use FreeBSD as a firewalling router after seeing it in action on a >> > heavily-loaded webserver. I like the efficiency of the TCP stack. >> > >> > Upon reading the handbook I found that I can have my choice of three= >> > firewalls; pf, iptables and ipfw. >> > > ... >> > >> > Against prudence, they wish to allow torrent connections to the insi= de >> > lan and ICQ connections to both the Inside LAN and the Wireless DMZ.= >> The >> > torrent and ICQ connections will need to be bandwidth-managed so >> that is >> > a major consideration for the choice of which firewall to use. Is th= ere >> > an equivalent to HTB on FreeBSD? >> > >> > >> i believe pf is the most modern and cleanest/easiest syntax to use. it= >> is actively developed and lots of people use it. You can set up priori= ty >> on bandwidth in pf as well, so it should meet all your requirements >> nicely. >=20 > pf will also do the bandwidth management you want. I've used ipfw, > ipf, iptables, and pf; pf is by far the most powerful and easy to use. >=20 I also heartily endorse the use of pf. However be aware that if you want to use the QoS and other bandwidth management features you will need to compile yourself a custom kernel with the appropriate ALTQ stuff turned on. Unfortunately ALTQ is not currently available as a loadable module. Compiling a new kernel is not particularly difficult though. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig805E4DDF272810F4D213A78B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.1 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFng418Mjk52CukIwRCM1/AJ9Go1MQM08cWrEktuv09YMsXXmnDwCgh1Rf 0+ivyQvFwgYdCF0A4StQkQM= =lGJ3 -----END PGP SIGNATURE----- --------------enig805E4DDF272810F4D213A78B--