From owner-freebsd-current@freebsd.org Fri Nov 27 23:11:46 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ED25746B8FD for ; Fri, 27 Nov 2020 23:11:46 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ej1-x642.google.com (mail-ej1-x642.google.com [IPv6:2a00:1450:4864:20::642]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CjVkV1GpRz4bD3 for ; Fri, 27 Nov 2020 23:11:45 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-ej1-x642.google.com with SMTP id d17so7764722ejy.9 for ; Fri, 27 Nov 2020 15:11:45 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=k/4DfvFHbNKYyTM9Z+IWFXFpmqZGHLJSnP92td4MjvE=; b=p55CPEdIfIE8ON8vlIZAOzWrW6SDWQk1aGoje7TDpGSBp/LNi2V4ZLlqSXjC3XQdpV SkGlbNUeD3Bh1deRHSeQlKa+1Q5KOaIZdVtbcbjHqKgXyc56QUcA53seol7ermzHo55/ GhDwT2DYDe6zMf1uwHTQg66RYDWngtlgjuqiqYVL/w3eg5eov/Qz3n4iyKDWw1RZcS8w fAdEEIa8G0JtKSBnm0BqhbE3IjkHQIuj1vXjvJlVF8Xsoa8sGAFr8wcAtF3gLYdJHZHu WSVL7p2fxWOImIULz9KU9sm8eagtcRnAbMsni4s1OmPCPXftPIWt+noznxcdIrke+XBG PN+Q== X-Gm-Message-State: AOAM531XB1JbXBXrAIpBbaDEA3Vp7gnGO9m+uQijycLtdts3FKzgY0yZ It++XdxLkEabPG29IDdTlH4ckis/xhYhsgQHv2P9ZMkhtDpOcQ== X-Google-Smtp-Source: ABdhPJxU9R+L/CQ0G2a1rELGlhb9hhzXTzDyuSvexCEjkUObvltiaVEzoNlLTGj0+v36SXeRYTwQjP2IUZAhiJayEqE= X-Received: by 2002:a17:906:14d:: with SMTP id 13mr2610628ejh.516.1606518704427; Fri, 27 Nov 2020 15:11:44 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a50:344f:0:0:0:0:0 with HTTP; Fri, 27 Nov 2020 15:11:43 -0800 (PST) In-Reply-To: References: From: grarpamp Date: Fri, 27 Nov 2020 18:11:43 -0500 Message-ID: Subject: Re: firewall choice To: freebsd-current@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4CjVkV1GpRz4bD3 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.97 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.97)[-0.971]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::642:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::642:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::642:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Nov 2020 23:11:47 -0000 >>> What's the "best" [1] choice for firewalling these days >>> There's pf, ipf and ipfw. >> >>This question comes up over years. >> >>Consider starting and joining with people to create >>a comparison page on the FreeBSD Wiki, >>both a feature / capability comparison table, >>and contextual paragraphs. >>A mini project like that can help many users >>and add their researches to it. > > I'd be happy to if I knew where to start/how to start/is there a guide. Starting a wiki is here... https://wiki.freebsd.org/ https://wiki.freebsd.org/AboutWiki Which falls under larger handbook doc area... https://lists.freebsd.org/mailman/listinfo/freebsd-doc Much of comparison would pull from man pages. Could also come from posting a call for input / announce to questions, hackers, forum, etc. Wiki should not duplicate admin info from here... https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html But would cover this handbook bullet item that is not actually covered in the handbook (which could link out to the wiki page for that)... "- The differences between the firewalls built into FreeBSD." A full comparison would also want to note and point to upstream sources, and have a table of which filter systems are supported going forward in each unix OS (the *BSD flavors including DragonFly ipfw3 pf, Linux netfilter+nftables, Illumos). And cover layer2 capabilities, switching, bridging, ipv6, nat, rate limits / shape / queue, proxy, arbitrary rewriting and routing hooks, etc. NetBSD where ipf was last released has deprecated both ipf and pf in favor of npf. While upstream devel and maintenance on ipf has died, pf still lives on at OpenBSD. Anyone can start. Have fun.