Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 24 May 2014 16:16:12 -0700
From:      Peter Wemm <peter@wemm.org>
To:        Charles Sprickman <spork@bway.net>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: What is your favourite/best firewall on FreeBSD and why?
Message-ID:  <5381283C.8010005@wemm.org>
In-Reply-To: <542A7016-FEE2-418C-B1F1-2227378BB4C8@bway.net>
References:  <20140520070926.GA92183@The.ie> <lln2o2$77d$1@usenet.ziemba.us> <FE050654-7AE7-4E5D-B191-9A620B9D61AD@tao.org.uk> <537FB96D.1040503@wemm.org> <542A7016-FEE2-418C-B1F1-2227378BB4C8@bway.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 5/23/14, 11:12 PM, Charles Sprickman wrote:
> On May 23, 2014, at 5:11 PM, Peter Wemm <peter@wemm.org> wrote:
>
>> On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote:
>>> On 23 May 2014, at 10:00, G. Paul Ziemba <pz-freebsd-stable@ziemba.us> wrote:
>>>
>>>> Lucius.Rizzo@The.ie (Lucius Rizzo) writes:
>>>>
>>>>> Ultimately, outside configuration differences all firewalls are essentially
>>>>> serve the same purpose but I wonder what is your favorite and why? If
>>>>> you were to run FreeBSD in production, which of the three would you
>>>>> choose? IPFilter, PF or IPFW?
>>>> I switched to pf about seven months ago as I began to need to
>>>> manage bandwidth for specific classes of traffic (for example,
>>>> prevent outbound mailing list email from saturating the link
>>>> and reserve some bandwidth for interactive use).
>>>>
>>>> The syntax is very close and the NAT configuration is simpler in pf.
>>> Does the pfsync handle NAT tables.
>>> Could I use it to build a resilient carrier grade NAT solution?
>>>
>> Yes, pfsync includes NAT.  While we don't use NAT in the freebsd.org cluster, we do use it on certain ipv6+rfc1918 machines and it does handle failover / recovery transparently.  We use it with carp.
>>
>> Be aware that things can get a little twitchy if your switches have an extended link-up periods. Our Juniper EX switches and ethernet interfaces have a significant delay between 'ifconfig up' and link established.  This required some tweaks on the freebsd.org cluster but nothing unmanageable.  We probably should boot them into a hold-down state while things stabilize and but we've taken the quick way out rather than doing it the ideal way.
> Off-topic, but it sounds like you need the Juniper equivalent of the Cisco “spanning-tree portfast” command on your switch interfaces that connect to end hosts.  The pause you see is part of STP where the switch port sits in learning mode from 5 to 30 seconds before going to forwarding mode.  This is important for inter-switch links, but not at all needed when you know a port is only going to have a host plugged into it.
>

Indeed, I believe this is a legacy of when we had discrete switches 
chained together.  We've since switched to virtual chassis 
configurations so there's only inter-switch forwarding via the 
backplane.  I've made a note to check this out when I'm physically present.

But it is something to be aware of if you're using carp in this 
configuration as new members will believe they are the master for a 
short while and that does lead to drama as it converges.  This not a 
pf/carp problem though, more one that we haven't used the available 
tools properly yet.

-Peter




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5381283C.8010005>