Date: Fri, 23 May 2014 09:00:50 +0000 (UTC) From: "G. Paul Ziemba" <pz-freebsd-stable@ziemba.us> To: freebsd-stable@FreeBSD.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? Message-ID: <lln2o2$77d$1@usenet.ziemba.us> References: <20140520070926.GA92183@The.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
Lucius.Rizzo@The.ie (Lucius Rizzo) writes: >Ultimately, outside configuration differences all firewalls are essentially >serve the same purpose but I wonder what is your favorite and why? If >you were to run FreeBSD in production, which of the three would you >choose? IPFilter, PF or IPFW? I was a long-time user of ipfilter from its early days in the 1990's on Solaris. I started running it on FreeBSD in September 1999 (FreeBSD 3.2). I switched to pf about seven months ago as I began to need to manage bandwidth for specific classes of traffic (for example, prevent outbound mailing list email from saturating the link and reserve some bandwidth for interactive use). The syntax is very close and the NAT configuration is simpler in pf. Here are some of my reasons for switching: 1. Development activity. There seems to be almost no development of ipfilter for FreeBSD anymore. Beyond the drama last year about whether it would continue to be supported at all in FreeBSD, I'm not sure there is even any development of the base ipfilter now. The project web page (as linked from the FreeBSD Handbook as well as the Wikipedia page) seems to have disappeared. 2. Integrated queue configuration (enabling bandwidth management of selected traffic). This feature is not in ipfilter and is what drove my switch. 3. Integrated macro and subroutine support (the latter are referred to as "anchors"). It simplified my rule files a bit. Also, being able to reload rules at specific anchors simplified handling of my time-based rules. I haven't checked recently, but I believe VIMAGE support for FreeBSD's pf is still missing. There were some development efforts a couple years ago but I never saw the patches get added to the distributed FreeBSD. As a result I am using VirtualBox VMs instead of jails for some of my internet-facing services. -- G. Paul Ziemba FreeBSD unix: 1:56AM up 117 days, 2:55, 24 users, load averages: 1.49, 1.60, 1.60
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?lln2o2$77d$1>