From owner-freebsd-stable@FreeBSD.ORG  Sat May 24 23:16:12 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 31FFF272
 for <freebsd-stable@freebsd.org>; Sat, 24 May 2014 23:16:12 +0000 (UTC)
Received: from smtp2.wemm.org (smtp2.wemm.org [192.203.228.78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp2.wemm.org",
 Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 12931266B
 for <freebsd-stable@freebsd.org>; Sat, 24 May 2014 23:16:11 +0000 (UTC)
Received: from [172.16.26.29] (50-204-120-225-static.hfc.comcastbusiness.net
 [50.204.120.225])
 (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate) (Authenticated sender: peter)
 by smtp2.wemm.org (Postfix) with ESMTPSA id 67C2362B;
 Sat, 24 May 2014 16:16:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org;
 s=m20140428; t=1400973371;
 bh=3W1xd6echnDrz6ycWCh+/xCEWo+dlJ3ZMr2vJ8kw6zY=;
 h=Date:From:To:CC:Subject:References:In-Reply-To;
 b=vQXsraaSGxi7Cwy80htlRQ80fHjJlkV2XiPL+8VVTdSqqPH6ljAp/mc8CEmuLUj7g
 Ivt1nGv8DtPDCXfpulcdvTOPBnsVdycX5Cfi8UAvfox8fg2b0lpuN/gaBSKPrqrRzO
 Hd4Ov1E+8GcEZXz9iKT1+87fCD2Z30LkKPcd9Vfw=
Message-ID: <5381283C.8010005@wemm.org>
Date: Sat, 24 May 2014 16:16:12 -0700
From: Peter Wemm <peter@wemm.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
 rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Charles Sprickman <spork@bway.net>
Subject: Re: What is your favourite/best firewall on FreeBSD and why?
References: <20140520070926.GA92183@The.ie> <lln2o2$77d$1@usenet.ziemba.us>
 <FE050654-7AE7-4E5D-B191-9A620B9D61AD@tao.org.uk> <537FB96D.1040503@wemm.org>
 <542A7016-FEE2-418C-B1F1-2227378BB4C8@bway.net>
In-Reply-To: <542A7016-FEE2-418C-B1F1-2227378BB4C8@bway.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Cc: freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 May 2014 23:16:12 -0000

On 5/23/14, 11:12 PM, Charles Sprickman wrote:
> On May 23, 2014, at 5:11 PM, Peter Wemm <peter@wemm.org> wrote:
>
>> On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote:
>>> On 23 May 2014, at 10:00, G. Paul Ziemba <pz-freebsd-stable@ziemba.us> wrote:
>>>
>>>> Lucius.Rizzo@The.ie (Lucius Rizzo) writes:
>>>>
>>>>> Ultimately, outside configuration differences all firewalls are essentially
>>>>> serve the same purpose but I wonder what is your favorite and why? If
>>>>> you were to run FreeBSD in production, which of the three would you
>>>>> choose? IPFilter, PF or IPFW?
>>>> I switched to pf about seven months ago as I began to need to
>>>> manage bandwidth for specific classes of traffic (for example,
>>>> prevent outbound mailing list email from saturating the link
>>>> and reserve some bandwidth for interactive use).
>>>>
>>>> The syntax is very close and the NAT configuration is simpler in pf.
>>> Does the pfsync handle NAT tables.
>>> Could I use it to build a resilient carrier grade NAT solution?
>>>
>> Yes, pfsync includes NAT.  While we don't use NAT in the freebsd.org cluster, we do use it on certain ipv6+rfc1918 machines and it does handle failover / recovery transparently.  We use it with carp.
>>
>> Be aware that things can get a little twitchy if your switches have an extended link-up periods. Our Juniper EX switches and ethernet interfaces have a significant delay between 'ifconfig up' and link established.  This required some tweaks on the freebsd.org cluster but nothing unmanageable.  We probably should boot them into a hold-down state while things stabilize and but we've taken the quick way out rather than doing it the ideal way.
> Off-topic, but it sounds like you need the Juniper equivalent of the Cisco “spanning-tree portfast” command on your switch interfaces that connect to end hosts.  The pause you see is part of STP where the switch port sits in learning mode from 5 to 30 seconds before going to forwarding mode.  This is important for inter-switch links, but not at all needed when you know a port is only going to have a host plugged into it.
>

Indeed, I believe this is a legacy of when we had discrete switches 
chained together.  We've since switched to virtual chassis 
configurations so there's only inter-switch forwarding via the 
backplane.  I've made a note to check this out when I'm physically present.

But it is something to be aware of if you're using carp in this 
configuration as new members will believe they are the master for a 
short while and that does lead to drama as it converges.  This not a 
pf/carp problem though, more one that we haven't used the available 
tools properly yet.

-Peter