Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 May 2014 16:48:49 +0430
From:      Hooman Fazaeli <hoomanfazaeli@gmail.com>
To:        Lucius Rizzo <Lucius.Rizzo@The.ie>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: What is your favourite/best firewall on FreeBSD and why?
Message-ID:  <537C99A9.5040305@gmail.com>
In-Reply-To: <20140520070926.GA92183@The.ie>
References:  <20140520070926.GA92183@The.ie>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 5/20/2014 11:39 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.
>
> Firewalls are like MTA servers I find. Each person has their own
> proclivities. I happened to have started with IPFilter with Solaris and
> throughout Solaris years. Lately, on my Linux servers, I end up running
> ufw as lazy man's iptables cli frontend which is easy enough.
>
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?
>
> Also there is a lack of good interesting rule sets in the BSD realm. With
> Linux, there was even a iptables rule set to prevent heartbleed. If you use any
> of the firewalls, and have interesting or even optimized rule sets, I
> would really like to see them :)
>
> Regards,
>
pf has some advanced features which makes it more suitable for bigger and more complex networks.

pf advantages:
     - Operating system finger prints as rule condition
     - Dynamic interface addresses (interface name as rule src, dst and NAT-to address)
     - IP address range
     - Redirecting reply packets (reply-to)
     - More state limiting options to resist DoS (max-src-nodes, max-src-states, max-src-conn, max-src-conn-rate)
     - Simpler NAT syntax
     - ICMP for ICMP/TCP/UDP NAT
     - More load-share NAT options (round-robin, source hash, ...)
     - Full packet logging via pflog pseudo interface
- Rule labels
     - More control via CLI (pfctl)
     - pftop
     - Active-active failover (pfsync)
     - Syn proxy

see pf.conf(5) man page for details.

ipfw advantages:
        - MAC (L2) type/src/dst filtering (although very restricted, i.e., you may only specify a single MAC address as src)
        - Complex protocol NAT (e.g., PPTP, SCTP, FTP, ...)

-- 

Best regards.
Hooman Fazaeli

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?537C99A9.5040305>