From owner-freebsd-stable@FreeBSD.ORG Mon May 26 10:08:10 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4F93B3AF for ; Mon, 26 May 2014 10:08:10 +0000 (UTC) Received: from The.ie (The.ie [172.245.218.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "the.ie", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 27CD12FD8 for ; Mon, 26 May 2014 10:08:09 +0000 (UTC) Received: from The.ie (lrizzo@localhost [127.0.0.1]) by The.ie (8.14.8/8.14.8) with ESMTP id s4QA7n3j084246 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 26 May 2014 03:07:55 -0700 (PDT) (envelope-from Lucius.Rizzo@The.ie) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=the.ie; s=signed-mail; t=1401098877; bh=p/nI/8rvUY/FwGxuTyYosGWsiMgjCIc4esplR77lpks=; h=Date:From:To:Subject:References:In-Reply-To; b=h1hDuCXFSWCESovmEpIBAJHcnBgP9zjcUzwKErOjbO8jv/vbAdrJV3UsaHpOLfvI1 J2+cK7RJkysI1KAj+PZJoYWhpOsJkcyaCettwX1x1DijaBila4ZMxGObEg2v9eLduR YU1HdbyksYejdKGz0WX14c97vS++cI0lf78Vkp6VKNf84mMkr8nomqPHkYyL6cVzEi Ut43TciPAIsH8pTOxtewxNI3UrsR+XUXX4s/mU+xXuWG2cBn9hdqxXjcVdmBvnZU/I Ti9SzPuEtZ+Dg7+diZ9P4ETYVIy3W7gQe7vAbMETd7QZFFf1Kir6sQeD4gDYlkkdDA HFvAn4UFMfO4w== Received: (from lrizzo@localhost) by The.ie (8.14.8/8.14.8/Submit) id s4QA7nt8084245 for freebsd-stable@freebsd.org; Mon, 26 May 2014 03:07:49 -0700 (PDT) (envelope-from Lucius.Rizzo@The.ie) X-Authentication-Warning: The.ie: lrizzo set sender to Lucius.Rizzo@The.ie using -f Date: Mon, 26 May 2014 03:07:49 -0700 From: Lucius Rizzo To: freebsd-stable@freebsd.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? Message-ID: <20140526100749.GA83229@The.ie> References: <20140520070926.GA92183@The.ie> <5380EF14.60202@bluerosetech.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/" Content-Disposition: inline In-Reply-To: <5380EF14.60202@bluerosetech.com> X-Homepage: http://Lucius.Tel/ User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-1 required=5 tests=ALL_TRUSTED X-Abuse-Report-To: Please send any abuse of our services to abuse at The.ie. The.ie is a part of The.Marketing Inc. We do not send unsolicited mail. X-Scanned-By: MIMEDefang 2.74 on 172.245.218.25 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2014 10:08:10 -0000 --TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Darren Pilgrim [2014-05-24 12:12]: > On 5/20/2014 12:09 AM, Lucius Rizzo wrote: > > I have been looking into articles comparing firewalls that come with > > FreeBSD. There isn't much recent info on the net. I am currently using > > FreeBSD 10 with IPFilter. > > > > Firewalls are like MTA servers I find. Each person has their own > > proclivities. I happened to have started with IPFilter with Solaris and > > throughout Solaris years. Lately, on my Linux servers, I end up running > > ufw as lazy man's iptables cli frontend which is easy enough. > > > > Ultimately, outside configuration differences all firewalls are essenti= ally > > serve the same purpose but I wonder what is your favorite and why? If > > you were to run FreeBSD in production, which of the three would you > > choose? IPFilter, PF or IPFW? >=20 > I use ipfw on servers and end devices when I need a mitigation-oriented=20 > firewall. It makes simple work of putting up notch filters, but its=20 > syntax gets a bit ugly if you're doing up a router configuration. >=20 > I build routers from pf on OpenBSD and Intel hardware. $1k of PC and I=20 > can shove gigabits through full BGP tables and big sets of ACLs all day=20 > long. Something comparable from Cisco would have a five- or six-digit=20 > price tag and leave you unsatisfied. For lighter workloads, Ubiquiti's=20 > EdgeRouter family is lovely and it gets you the benefit of a well-known=20 > interface if you're handing off the admin hat. I abandon FreeBSD in=20 > this use case--ipfw syntax isn't clean enough and pf's IPv6 support is=20 > broken. >=20 > I haven't touched ipf in over a decade and don't miss it at all. Does anyone know what happened to Darren Reed from ipfilter? Last, I checked he had moved to Asia and was working under the Oracle umbrella... IPFilter page is now a redirect to ANU's main site. Pity. --=20 | _o _ |_)o_ _ _=20=20 |_|_|(_||_|_> | \|/_/_(_) - Lucius.Tel -------------------------------------- ++ Success is relative: It is what we can make of the mess we have ++ ++ made of things. ++ ++ -- T. S. Eliot, "The Family Reunion" ++ --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTgxJ0AAoJEDTEFvl1pMrQlAMQALyT5F0iE4eNe9eMaNhklyf0 QDJUN8EZg7g06Maeo4VBkVxjVCB0ZePcfb92YuiVo6HGufBmxZ6vNl78IfN3mXvu zo/e9bst3eSxunLwAzRmYFAq5PJB6r6m9ZCGnfZbgR0b8XTJXCjnkoKXAeo5C892 eRX1Ox1QYWaOFnmls2OSmZz6F7OetLwiFUVmUefDO6v/pOMldW3cAcpr2q8AMzo8 fXLbvyxLURioALVscvgeEno5scIaKWkwVOCL1G+3qK9KZnD3IrmEAvx6+GOa3IUI gob/qa8DDldFcT6Jn9n6uS114DVTSOaj/2T3+wBUXpmCDkZs1GUJXWl6L7CJR6hH Q5534jmPmIkQ9pa0E7LHQ6UmeVO6H7kfZpuEpK7ueRslFLeaC4NtIDZkz5yurFs2 EgTg8RqQQllgBktUX9QPmQSApyya8GUYDGi1Sx2EP5tjLAK0/GyTupuHeAqSN5/u cViM0lnvNekQ6XEouYQUve8G33Q6C6L9sQ2/4mMA0NU55XmtUEU9fB1Vz3w9BB+y DzT7S6q7/Qu7QCDQxBkgKkcBsbodbHUyaCf64hCPC+UIYHAnbI3EzZWa5GzsbcZw rOsJ6yT/Rtlx4MxY/9TBSNnYC1cBdlsGGuRbqNz/NYrY8cOR7uB5kpUaMpwFXh84 VCMjhahAxJQrmP4DcEtI =Iw7r -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/--