From owner-freebsd-questions@FreeBSD.ORG Fri Jun 24 20:56:52 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20F2816A41C for ; Fri, 24 Jun 2005 20:56:52 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from rosebud.otenet.gr (rosebud.otenet.gr [195.170.0.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id 60B3443D58 for ; Fri, 24 Jun 2005 20:56:51 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-b172.otenet.gr [212.205.244.180]) by rosebud.otenet.gr (8.13.4/8.13.4/Debian-1) with ESMTP id j5OKuI3i002897; Fri, 24 Jun 2005 23:56:20 +0300 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.13.4/8.13.4) with ESMTP id j5OKuF9W001276; Fri, 24 Jun 2005 23:56:15 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.13.4/8.13.4/Submit) id j5OKuEDX001275; Fri, 24 Jun 2005 23:56:14 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Fri, 24 Jun 2005 23:56:14 +0300 From: Giorgos Keramidas To: fbsd_user , Khanh Cao Van Message-ID: <20050624205614.GB1055@gothmog.gr> References: <5fd642fc05062406331e283ffe@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Cc: freebsd-questions Subject: Re: firewall on FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jun 2005 20:56:52 -0000 On 2005-06-24 10:31, fbsd_user wrote: > Which firewall you select to use should be based on your level of > understanding of how information is moved across the internet. > > Ipfilter is best suited for people who are just learning about > firewalling. PF is a little more automated and the rules are very > close to IPF's. True. > IPFW is for the advanced firewall users who have expert understanding > of the internet. Blatantly false. > All 3 firewalls support stateful rules and are available in the 5.4 > release. Best advice is start with Ipfilter and when you find out that > you have needs which are not met by Ipfilter then move over to IPFW. IPFW or PF is fine for starting too. The choise of the "best" firewall is, these days, more often than not an issue of which one matches the specific application and the taste of the one who is going to set it up, i.e. * DUMMYNET is a very nice bandwidth limiting & shaping tool, which may some times lead to choosing IPFW. * On the other hand, PF/ALTQ may be used to do similar things, so some users will obviously prefer this set of tools for other reasons (for instance, because the like the ruleset style better). * IP Filter, is almost obsoleted by PF on FreeBSD, but it's still one of the most portable firewalls out there (I use it on Solaris all the time, for example). There isn't a "best firewall for all cases". They all have their respective strengths and/or weaknesses. === To the original poster === I say, try them all out and choose the one _YOU_ prefer, for the reasons that are important in _YOUR_ setup. - Giorgos