From owner-freebsd-stable@FreeBSD.ORG Wed May 21 12:18:51 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E930E1A4 for ; Wed, 21 May 2014 12:18:50 +0000 (UTC) Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8070E21C5 for ; Wed, 21 May 2014 12:18:50 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id l18so1903418wgh.23 for ; Wed, 21 May 2014 05:18:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=8Mmev1JWzM8xZJHbKwjIOVdA445IZe//Eu1KXOwsH3s=; b=zFIi86Tt6D8875aguddZLWHyZcLwgqpYtWFwSwtYcM9jbRyREfVs0+yiAqXmx2ouEH n/Mmt00zcy7CcK8yTMH6JZxt24WvhDpSInpWQQl/3YKMzjrAsoGcS5mPIFD8aWEBgPkU 0uGw+dDuOncITwAC8FzzvrzcppGFDD7XgdmyVOr1g5XGOG8mcXhau7PHesEnSb6ygvV6 wLo2GSbYf2/RZ434J2BNEvrHmSNk4oQ+NdQ72tNSZc4bPOQ8NkcoBsWzs7A4RdI/+FLN cIu+ymt7h7g5HrQU53OPu0HdxEwajpa6bpsiknW/ScpW45Yvsuux+fEI7SNKLblI6GNB AuKw== X-Received: by 10.180.92.103 with SMTP id cl7mr10034824wib.26.1400674728657; Wed, 21 May 2014 05:18:48 -0700 (PDT) Received: from [192.168.2.30] ([2.176.226.46]) by mx.google.com with ESMTPSA id kp5sm22372183wjb.30.2014.05.21.05.18.47 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 21 May 2014 05:18:47 -0700 (PDT) Message-ID: <537C99A9.5040305@gmail.com> Date: Wed, 21 May 2014 16:48:49 +0430 From: Hooman Fazaeli User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: Lucius Rizzo Subject: Re: What is your favourite/best firewall on FreeBSD and why? References: <20140520070926.GA92183@The.ie> In-Reply-To: <20140520070926.GA92183@The.ie> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2014 12:18:51 -0000 On 5/20/2014 11:39 AM, Lucius Rizzo wrote: > I have been looking into articles comparing firewalls that come with > FreeBSD. There isn't much recent info on the net. I am currently using > FreeBSD 10 with IPFilter. > > Firewalls are like MTA servers I find. Each person has their own > proclivities. I happened to have started with IPFilter with Solaris and > throughout Solaris years. Lately, on my Linux servers, I end up running > ufw as lazy man's iptables cli frontend which is easy enough. > > Ultimately, outside configuration differences all firewalls are essentially > serve the same purpose but I wonder what is your favorite and why? If > you were to run FreeBSD in production, which of the three would you > choose? IPFilter, PF or IPFW? > > Also there is a lack of good interesting rule sets in the BSD realm. With > Linux, there was even a iptables rule set to prevent heartbleed. If you use any > of the firewalls, and have interesting or even optimized rule sets, I > would really like to see them :) > > Regards, > pf has some advanced features which makes it more suitable for bigger and more complex networks. pf advantages: - Operating system finger prints as rule condition - Dynamic interface addresses (interface name as rule src, dst and NAT-to address) - IP address range - Redirecting reply packets (reply-to) - More state limiting options to resist DoS (max-src-nodes, max-src-states, max-src-conn, max-src-conn-rate) - Simpler NAT syntax - ICMP for ICMP/TCP/UDP NAT - More load-share NAT options (round-robin, source hash, ...) - Full packet logging via pflog pseudo interface - Rule labels - More control via CLI (pfctl) - pftop - Active-active failover (pfsync) - Syn proxy see pf.conf(5) man page for details. ipfw advantages: - MAC (L2) type/src/dst filtering (although very restricted, i.e., you may only specify a single MAC address as src) - Complex protocol NAT (e.g., PPTP, SCTP, FTP, ...) -- Best regards. Hooman Fazaeli