From owner-freebsd-stable@FreeBSD.ORG Fri May 23 21:11:10 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 10386220 for ; Fri, 23 May 2014 21:11:10 +0000 (UTC) Received: from smtp2.wemm.org (smtp2.wemm.org [192.203.228.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp2.wemm.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E8868271B for ; Fri, 23 May 2014 21:11:09 +0000 (UTC) Received: from [172.16.21.76] (50-204-120-225-static.hfc.comcastbusiness.net [50.204.120.225]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) (Authenticated sender: peter) by smtp2.wemm.org (Postfix) with ESMTPSA id 6025320F for ; Fri, 23 May 2014 14:11:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org; s=m20140428; t=1400879469; bh=hA6g5Nn5q0PPPkiN447CgphkGQdJ2rH5+oEG7WFqc2s=; h=Date:From:To:Subject:References:In-Reply-To; b=nwpMqyTXNF/F3Yn85h+yytn52SsPrJVn2MMQxC759SKKHwvNcO3AnNlAEJjQ3jSrB XjafPhO0dVme4ZQV8XDpjjB7bdA2o8OyhyBuq+yQ4lt1lgWtcvC/r3hsWKlI7SomLT RBngEcAksgoJpzEaTxJVVWRxmY0/lxX4zik7wp1A= Message-ID: <537FB96D.1040503@wemm.org> Date: Fri, 23 May 2014 14:11:09 -0700 From: Peter Wemm User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? References: <20140520070926.GA92183@The.ie> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2014 21:11:10 -0000 On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote: > On 23 May 2014, at 10:00, G. Paul Ziemba wrote: > >> Lucius.Rizzo@The.ie (Lucius Rizzo) writes: >> >>> Ultimately, outside configuration differences all firewalls are essentially >>> serve the same purpose but I wonder what is your favorite and why? If >>> you were to run FreeBSD in production, which of the three would you >>> choose? IPFilter, PF or IPFW? >> I switched to pf about seven months ago as I began to need to >> manage bandwidth for specific classes of traffic (for example, >> prevent outbound mailing list email from saturating the link >> and reserve some bandwidth for interactive use). >> >> The syntax is very close and the NAT configuration is simpler in pf. > Does the pfsync handle NAT tables. > Could I use it to build a resilient carrier grade NAT solution? > Yes, pfsync includes NAT. While we don't use NAT in the freebsd.org cluster, we do use it on certain ipv6+rfc1918 machines and it does handle failover / recovery transparently. We use it with carp. Be aware that things can get a little twitchy if your switches have an extended link-up periods. Our Juniper EX switches and ethernet interfaces have a significant delay between 'ifconfig up' and link established. This required some tweaks on the freebsd.org cluster but nothing unmanageable. We probably should boot them into a hold-down state while things stabilize and but we've taken the quick way out rather than doing it the ideal way. -Peter