From owner-freebsd-stable@FreeBSD.ORG Wed May 28 07:10:59 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E3743AC2 for ; Wed, 28 May 2014 07:10:59 +0000 (UTC) Received: from mail-yk0-x22d.google.com (mail-yk0-x22d.google.com [IPv6:2607:f8b0:4002:c07::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A57562408 for ; Wed, 28 May 2014 07:10:59 +0000 (UTC) Received: by mail-yk0-f173.google.com with SMTP id 142so7981455ykq.4 for ; Wed, 28 May 2014 00:10:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MJfhLzkudw2auD2n9p+G7XeaoQLFqpyThxaeH0gdcv0=; b=A5DVIOzF6stW6T6D5XrwsL24L+rNsY1Gcm2HXvQZgio96rFUywKd52Ty/xu9hjLXN0 tRdCy58HKfDIMA8k2rdEpktjyi6saqve2LCkiRidfEg3jqDVecIEQR7ASa8RsYNhpc3I RoJRygh+7oEcam+0a5w96TxdQAOSIfdmOl2USXPABu/R7TtTkPi662dEFaILWIEzGeSx +NZJjDp5VBduGvX0/2yRT3l2RaAIFzFymOa9pcOiN/LT5PEYJdziwFGhuQddHUtQwKS1 KnancRSn8UFVSgm43xrTdcHhS4zCERUIPhNxlAu0PRmEB6v+dzAEtecvMq25gIOrSlR2 kUjw== MIME-Version: 1.0 X-Received: by 10.236.135.104 with SMTP id t68mr54335636yhi.35.1401261058813; Wed, 28 May 2014 00:10:58 -0700 (PDT) Received: by 10.170.54.8 with HTTP; Wed, 28 May 2014 00:10:58 -0700 (PDT) In-Reply-To: <542A7016-FEE2-418C-B1F1-2227378BB4C8@bway.net> References: <20140520070926.GA92183@The.ie> <537FB96D.1040503@wemm.org> <542A7016-FEE2-418C-B1F1-2227378BB4C8@bway.net> Date: Wed, 28 May 2014 08:10:58 +0100 Message-ID: Subject: Re: What is your favourite/best firewall on FreeBSD and why? From: krad To: Charles Sprickman Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: freebsd-stable , Peter Wemm X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2014 07:11:00 -0000 or use rstp On 24 May 2014 07:12, Charles Sprickman wrote: > On May 23, 2014, at 5:11 PM, Peter Wemm wrote: > > > On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote: > >> On 23 May 2014, at 10:00, G. Paul Ziemba > wrote: > >> > >>> Lucius.Rizzo@The.ie (Lucius Rizzo) writes: > >>> > >>>> Ultimately, outside configuration differences all firewalls are > essentially > >>>> serve the same purpose but I wonder what is your favorite and why? I= f > >>>> you were to run FreeBSD in production, which of the three would you > >>>> choose? IPFilter, PF or IPFW? > >>> I switched to pf about seven months ago as I began to need to > >>> manage bandwidth for specific classes of traffic (for example, > >>> prevent outbound mailing list email from saturating the link > >>> and reserve some bandwidth for interactive use). > >>> > >>> The syntax is very close and the NAT configuration is simpler in pf. > >> Does the pfsync handle NAT tables. > >> Could I use it to build a resilient carrier grade NAT solution? > >> > > > > Yes, pfsync includes NAT. While we don't use NAT in the freebsd.orgclu= ster, we do use it on certain ipv6+rfc1918 machines and it does handle > failover / recovery transparently. We use it with carp. > > > > Be aware that things can get a little twitchy if your switches have an > extended link-up periods. Our Juniper EX switches and ethernet interfaces > have a significant delay between 'ifconfig up' and link established. Thi= s > required some tweaks on the freebsd.org cluster but nothing unmanageable. > We probably should boot them into a hold-down state while things stabili= ze > and but we've taken the quick way out rather than doing it the ideal way. > > Off-topic, but it sounds like you need the Juniper equivalent of the Cisc= o > =E2=80=9Cspanning-tree portfast=E2=80=9D command on your switch interface= s that connect to > end hosts. The pause you see is part of STP where the switch port sits i= n > learning mode from 5 to 30 seconds before going to forwarding mode. This > is important for inter-switch links, but not at all needed when you know = a > port is only going to have a host plugged into it. > > Charles > > > > > -Peter > > > > _______________________________________________ > > freebsd-stable@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.or= g > " > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >