From owner-freebsd-stable@FreeBSD.ORG Sun May 25 14:29:48 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0D356477 for ; Sun, 25 May 2014 14:29:48 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7BD2D2456 for ; Sun, 25 May 2014 14:29:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s4PETaX2011085; Mon, 26 May 2014 00:29:37 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 26 May 2014 00:29:36 +1000 (EST) From: Ian Smith To: Lucius Rizzo Subject: Re: What is your favourite/best firewall on FreeBSD and why? In-Reply-To: <20140524055733.GA69376@The.ie> Message-ID: <20140525235945.V5669@sola.nimnet.asn.au> References: <20140520070926.GA92183@The.ie> <20140524055733.GA69376@The.ie> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-stable@freebsd.org, David Noel X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2014 14:29:48 -0000 On Fri, 23 May 2014 22:57:33 -0700, Lucius Rizzo wrote: > * David Noel [2014-05-24 00:31]: > > On 5/23/14, David Noel wrote: > > > On 5/20/14, Lucius Rizzo wrote: > > >> If you use any of the firewalls, and have interesting > > >> or even optimized rule sets, I would really like to see them :) > > > > > > I'll post them shortly. > > > > > > > Let me know if I missed anything. > > Thank you! This actually helps. I have a set of IPFilter rules that I > plunk on my FreeBSD servers running on cloud. I use IPFilter with > ssguard-ipfilter. (See Attached) > > Seems like consesus is that pf is perhaps the best choice moving forward. There's no concensus except what you'd prefer it to be. If you count messages you might have had to use ipfw, but I'm not surprised that pf is likely more comfortable conceptually to someone familiar with ipf. To one happier with procedural programming down to assembler level to sh or Pascal rather than more object-oriented languages, ipfw is nice and bare-metal and doggedly procedural. Others prefer the more symbolic approach, and pf has always felt that to me, but that's subjective. We've seen good specifics on which suits whom, and in what scenarios. I liked Darren Pilgrim's non-sectarian approach, preferring ipfw on (his) servers and pf - on OpenBSD - on (his) routers. And we got some interesting high-level takes from folks running enterprise-scale stuff down to what might best suit embedded gear. It's been fun :) However, I want the bikeshed slightly on the yellow side of burnt ochre. cheers, Ian