From owner-freebsd-stable@FreeBSD.ORG Sat May 24 19:23:01 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B86A7B3A for ; Sat, 24 May 2014 19:23:01 +0000 (UTC) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [204.109.60.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9654F263E for ; Sat, 24 May 2014 19:23:01 +0000 (UTC) Received: from chombo.houseloki.net (c-76-115-19-22.hsd1.or.comcast.net [76.115.19.22]) by luigi.brtsvcs.net (Postfix) with ESMTPSA id B8D7E2D4F9F; Sat, 24 May 2014 12:12:32 -0700 (PDT) Received: from [IPv6:2601:7:2280:38b:6551:53a5:81e3:1a57] (unknown [IPv6:2601:7:2280:38b:6551:53a5:81e3:1a57]) by chombo.houseloki.net (Postfix) with ESMTPSA id 7073D57B; Sat, 24 May 2014 12:12:30 -0700 (PDT) Message-ID: <5380EF14.60202@bluerosetech.com> Date: Sat, 24 May 2014 12:12:20 -0700 From: Darren Pilgrim Reply-To: freebsd-stable@freebsd.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Lucius Rizzo , freebsd-stable@freebsd.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? References: <20140520070926.GA92183@The.ie> In-Reply-To: <20140520070926.GA92183@The.ie> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 May 2014 19:23:01 -0000 On 5/20/2014 12:09 AM, Lucius Rizzo wrote: > I have been looking into articles comparing firewalls that come with > FreeBSD. There isn't much recent info on the net. I am currently using > FreeBSD 10 with IPFilter. > > Firewalls are like MTA servers I find. Each person has their own > proclivities. I happened to have started with IPFilter with Solaris and > throughout Solaris years. Lately, on my Linux servers, I end up running > ufw as lazy man's iptables cli frontend which is easy enough. > > Ultimately, outside configuration differences all firewalls are essentially > serve the same purpose but I wonder what is your favorite and why? If > you were to run FreeBSD in production, which of the three would you > choose? IPFilter, PF or IPFW? I use ipfw on servers and end devices when I need a mitigation-oriented firewall. It makes simple work of putting up notch filters, but its syntax gets a bit ugly if you're doing up a router configuration. I build routers from pf on OpenBSD and Intel hardware. $1k of PC and I can shove gigabits through full BGP tables and big sets of ACLs all day long. Something comparable from Cisco would have a five- or six-digit price tag and leave you unsatisfied. For lighter workloads, Ubiquiti's EdgeRouter family is lovely and it gets you the benefit of a well-known interface if you're handing off the admin hat. I abandon FreeBSD in this use case--ipfw syntax isn't clean enough and pf's IPv6 support is broken. I haven't touched ipf in over a decade and don't miss it at all.