From owner-freebsd-stable@FreeBSD.ORG  Wed May 21 12:18:51 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id E930E1A4
 for <freebsd-stable@freebsd.org>; Wed, 21 May 2014 12:18:50 +0000 (UTC)
Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com
 [IPv6:2a00:1450:400c:c00::234])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 8070E21C5
 for <freebsd-stable@freebsd.org>; Wed, 21 May 2014 12:18:50 +0000 (UTC)
Received: by mail-wg0-f52.google.com with SMTP id l18so1903418wgh.23
 for <freebsd-stable@freebsd.org>; Wed, 21 May 2014 05:18:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=message-id:date:from:user-agent:mime-version:to:cc:subject
 :references:in-reply-to:content-type:content-transfer-encoding;
 bh=8Mmev1JWzM8xZJHbKwjIOVdA445IZe//Eu1KXOwsH3s=;
 b=zFIi86Tt6D8875aguddZLWHyZcLwgqpYtWFwSwtYcM9jbRyREfVs0+yiAqXmx2ouEH
 n/Mmt00zcy7CcK8yTMH6JZxt24WvhDpSInpWQQl/3YKMzjrAsoGcS5mPIFD8aWEBgPkU
 0uGw+dDuOncITwAC8FzzvrzcppGFDD7XgdmyVOr1g5XGOG8mcXhau7PHesEnSb6ygvV6
 wLo2GSbYf2/RZ434J2BNEvrHmSNk4oQ+NdQ72tNSZc4bPOQ8NkcoBsWzs7A4RdI/+FLN
 cIu+ymt7h7g5HrQU53OPu0HdxEwajpa6bpsiknW/ScpW45Yvsuux+fEI7SNKLblI6GNB
 AuKw==
X-Received: by 10.180.92.103 with SMTP id cl7mr10034824wib.26.1400674728657;
 Wed, 21 May 2014 05:18:48 -0700 (PDT)
Received: from [192.168.2.30] ([2.176.226.46])
 by mx.google.com with ESMTPSA id kp5sm22372183wjb.30.2014.05.21.05.18.47
 for <multiple recipients>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Wed, 21 May 2014 05:18:47 -0700 (PDT)
Message-ID: <537C99A9.5040305@gmail.com>
Date: Wed, 21 May 2014 16:48:49 +0430
From: Hooman Fazaeli <hoomanfazaeli@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:17.0) Gecko/20130215 Thunderbird/17.0.3
MIME-Version: 1.0
To: Lucius Rizzo <Lucius.Rizzo@The.ie>
Subject: Re: What is your favourite/best firewall on FreeBSD and why?
References: <20140520070926.GA92183@The.ie>
In-Reply-To: <20140520070926.GA92183@The.ie>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2014 12:18:51 -0000

On 5/20/2014 11:39 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.
>
> Firewalls are like MTA servers I find. Each person has their own
> proclivities. I happened to have started with IPFilter with Solaris and
> throughout Solaris years. Lately, on my Linux servers, I end up running
> ufw as lazy man's iptables cli frontend which is easy enough.
>
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?
>
> Also there is a lack of good interesting rule sets in the BSD realm. With
> Linux, there was even a iptables rule set to prevent heartbleed. If you use any
> of the firewalls, and have interesting or even optimized rule sets, I
> would really like to see them :)
>
> Regards,
>
pf has some advanced features which makes it more suitable for bigger and more complex networks.

pf advantages:
     - Operating system finger prints as rule condition
     - Dynamic interface addresses (interface name as rule src, dst and NAT-to address)
     - IP address range
     - Redirecting reply packets (reply-to)
     - More state limiting options to resist DoS (max-src-nodes, max-src-states, max-src-conn, max-src-conn-rate)
     - Simpler NAT syntax
     - ICMP for ICMP/TCP/UDP NAT
     - More load-share NAT options (round-robin, source hash, ...)
     - Full packet logging via pflog pseudo interface
- Rule labels
     - More control via CLI (pfctl)
     - pftop
     - Active-active failover (pfsync)
     - Syn proxy

see pf.conf(5) man page for details.

ipfw advantages:
        - MAC (L2) type/src/dst filtering (although very restricted, i.e., you may only specify a single MAC address as src)
        - Complex protocol NAT (e.g., PPTP, SCTP, FTP, ...)

-- 

Best regards.
Hooman Fazaeli