Date: Fri, 23 May 2014 14:11:09 -0700 From: Peter Wemm <peter@wemm.org> To: freebsd-stable@freebsd.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? Message-ID: <537FB96D.1040503@wemm.org> In-Reply-To: <FE050654-7AE7-4E5D-B191-9A620B9D61AD@tao.org.uk> References: <20140520070926.GA92183@The.ie> <lln2o2$77d$1@usenet.ziemba.us> <FE050654-7AE7-4E5D-B191-9A620B9D61AD@tao.org.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote: > On 23 May 2014, at 10:00, G. Paul Ziemba <pz-freebsd-stable@ziemba.us> wrote: > >> Lucius.Rizzo@The.ie (Lucius Rizzo) writes: >> >>> Ultimately, outside configuration differences all firewalls are essentially >>> serve the same purpose but I wonder what is your favorite and why? If >>> you were to run FreeBSD in production, which of the three would you >>> choose? IPFilter, PF or IPFW? >> I switched to pf about seven months ago as I began to need to >> manage bandwidth for specific classes of traffic (for example, >> prevent outbound mailing list email from saturating the link >> and reserve some bandwidth for interactive use). >> >> The syntax is very close and the NAT configuration is simpler in pf. > Does the pfsync handle NAT tables. > Could I use it to build a resilient carrier grade NAT solution? > Yes, pfsync includes NAT. While we don't use NAT in the freebsd.org cluster, we do use it on certain ipv6+rfc1918 machines and it does handle failover / recovery transparently. We use it with carp. Be aware that things can get a little twitchy if your switches have an extended link-up periods. Our Juniper EX switches and ethernet interfaces have a significant delay between 'ifconfig up' and link established. This required some tweaks on the freebsd.org cluster but nothing unmanageable. We probably should boot them into a hold-down state while things stabilize and but we've taken the quick way out rather than doing it the ideal way. -Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?537FB96D.1040503>