Most wanted packet filter

Max Laier max at love2party.net
Wed Jul 20 13:33:59 GMT 2005 

On Wednesday 20 July 2005 14:37, Roger Grosswiler wrote:
> > Roger Grosswiler wrote:
> >>Hi,
> >>
> >>i would like to know, which "firewall" is most wanted under freebsd. is
> >> it
> >>ipfw or is it ipf?
> >>
> >>i imagine, both have their advantages, but i would like to try first the
>
> most used because of support - poor rookie, i :-D
>
> > Don't forget about the third one, called pf. ;)
> > It's a hard question. What does matter is which of them is best the *for
>
> You*. As for me I use ipf and ipfw together. I think ipf is very easy to
> configure but ipfw has more sophisticated features, for instance it can
> be used for bandwith controlling via dummynet facility. As for pf, I
> don't know it.
>
> > Cheers,
> >
> > Gábor Kövesdán
>
> Thanks Gabor,
>
> I thought so. What i read, i should prefer ipf. What i also would like to
> know, whether there someting, the freebsd-world calls "standard"? I mean,
> the title of this list is freebsd-ipfw ;-)

There is a list called freebsd-pf@ as well where you will find support for pf 
related questions.

IMO you have to decide a couple of things:

1) Which syntax is the most natural for you?
Choices: IPFW vs. IPF/PF

2) What do you want to achieve?
Choices: Fast packet pushing with little sanity checks as usual on an ISP 
router vs. High level of sanity checks while giving up some performance.
IPFW provides for the first, PF for the later.  However, both can be 
configured to provide high performance and both can be configured to provide 
a high level of sanity checks - this reflects just what is the "natural" 
configuration for the system.  PF can check some things that IPFW can't and 
IPFW can provide pps-rates that PF will not get close to, but that are edge 
cases you probably don't have to deal with.

Why not IPF?
1) It seems to be broken in RELENG_5 as several people report on 
freebsd-stable@  There is an issue with SMP/PREEMPTION and no solution seems 
to be worked on.
2) It's undermaintained (IMO)
3) It doesn't provide any benefit over PF

http://www.openbsd.org/faq/pf/index.html is a really good guide to get started 
with PF, btw.

IMHO PF is the best firewall system available for protecting networks as the 
only firewall between clients and the internet.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20050720/5aef1679/attachment.bin

More information about the freebsd-ipfw mailing list