From owner-freebsd-current@freebsd.org Sat Nov 28 06:26:17 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1F1A84774EA for ; Sat, 28 Nov 2020 06:26:17 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CjhMq6NQlz3Fr2 for ; Sat, 28 Nov 2020 06:26:15 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.229.168]) by shaw.ca with ESMTPA id itgSk9xTJbYg3itgTkgt59; Fri, 27 Nov 2020 23:26:13 -0700 X-Authority-Analysis: v=2.4 cv=Q4RsX66a c=1 sm=1 tr=0 ts=5fc1ed85 a=7AlCcx2GqMg+lh9P3BclKA==:117 a=7AlCcx2GqMg+lh9P3BclKA==:17 a=xqWC_Br6kY4A:10 a=kj9zAlcOel0A:10 a=nNwsprhYR40A:10 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=i3EhSejfWCEPKW0IYRMA:9 a=CjuIK1q_8ugA:10 a=VssJInpMtHUA:10 a=3-a-VZz4A_wA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [IPv6:fc00:1:1:1::5b]) by spqr.komquats.com (Postfix) with ESMTPS id F3B5A1CAD; Fri, 27 Nov 2020 22:26:10 -0800 (PST) Received: from slippy (localhost [127.0.0.1]) by slippy.cwsent.com (8.16.1/8.16.1) with ESMTP id 0AS6QAbC032721; Fri, 27 Nov 2020 22:26:10 -0800 (PST) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <202011280626.0AS6QAbC032721@slippy.cwsent.com> X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: grarpamp cc: freebsd-current@freebsd.org Subject: Re: firewall choice In-reply-to: References: Comments: In-reply-to grarpamp message dated "Fri, 27 Nov 2020 18:11:43 -0500." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 27 Nov 2020 22:26:10 -0800 X-CMAE-Envelope: MS4xfL/7ID90yfp8yRZ5CkpA8wZO/wXFeaDWVMsMQMgKRi/9sDC8+H743Gjmmt53KvCE/mLPnXYe7aNjPWwGljoFT7AheeL95nqIHffX4OfllPl/GrUnwiAe Ftt/mGjOCOy5psWeKKyzRsmOXezIgwsVzuZDE1k91Bmi7Z4A9dfSMzWZTElHaGt/HzRHdYWFpro+GsPPW8Ho7zGgJqc2Aw7W+AevWDemE9E9sOU3dVBhNeP3 KPcjioF2h+7qg9UUtMQodA== X-Rspamd-Queue-Id: 4CjhMq6NQlz3Fr2 X-Spamd-Bar: / X-Spamd-Result: default: False [0.30 / 15.00]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; RWL_MAILSPIKE_GOOD(0.00)[64.59.136.137:from]; RCVD_COUNT_THREE(0.00)[4]; RCPT_COUNT_TWO(0.00)[2]; FREEMAIL_TO(0.00)[gmail.com]; RECEIVED_SPAMHAUS_PBL(0.00)[70.67.229.168:received]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[64.59.136.137:from]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[cschubert.com: no valid DMARC record]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[64.59.136.137:from:127.0.2.255]; RCVD_IN_DNSWL_LOW(-0.10)[64.59.136.137:from]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; R_SPF_NA(0.00)[no SPF record]; MAILMAN_DEST(0.00)[freebsd-current] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Nov 2020 06:26:17 -0000 In message , grarpamp writes: > >>> What's the "best" [1] choice for firewalling these days > >>> There's pf, ipf and ipfw. > >> > >>This question comes up over years. > >> > >>Consider starting and joining with people to create > >>a comparison page on the FreeBSD Wiki, > >>both a feature / capability comparison table, > >>and contextual paragraphs. > >>A mini project like that can help many users > >>and add their researches to it. > > > > I'd be happy to if I knew where to start/how to start/is there a guide. > > Starting a wiki is here... > https://wiki.freebsd.org/ > https://wiki.freebsd.org/AboutWiki > > Which falls under larger handbook doc area... > https://lists.freebsd.org/mailman/listinfo/freebsd-doc > > Much of comparison would pull from man pages. > > Could also come from posting a call for input / announce > to questions, hackers, forum, etc. > > Wiki should not duplicate admin info from here... > https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html > But would cover this handbook bullet item that is > not actually covered in the handbook (which > could link out to the wiki page for that)... > "- The differences between the firewalls built into FreeBSD." > > A full comparison would also want to note and point to > upstream sources, and have a table of which filter systems > are supported going forward in each unix OS (the *BSD > flavors including DragonFly ipfw3 pf, Linux netfilter+nftables, > Illumos). pf was originally written when Darren Reed took a job at Sun. He changed the license at the time. FreeBSD moved it (and other softwre to contrib), as did NetBSD (in their own way). OpenBSD wrote pf in the space of a week in reaction to the license change. > > And cover layer2 capabilities, switching, bridging, ipv6, > nat, rate limits / shape / queue, proxy, arbitrary rewriting > and routing hooks, etc. > > NetBSD where ipf was last released has deprecated > both ipf and pf in favor of npf. While upstream devel and > maintenance on ipf has died, pf still lives on at OpenBSD. It's hardly deprecated in NetBSD. Christos Zoulas and I have exchanged a fair bit of code. Darren Reed released and maintained IPF through the Australian National University. NetBSD imported it, like we do here at FreeBSD, into their src tree. > > Anyone can start. Have fun. My ipf work is documented at https://wiki.freebsd.org/IPFilter. > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org The need of the many outweighs the greed of the few.