What is your favourite/best firewall on FreeBSD and why?

Hooman Fazaeli hoomanfazaeli at gmail.com
Wed May 21 12:18:51 UTC 2014 

On 5/20/2014 11:39 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.
>
> Firewalls are like MTA servers I find. Each person has their own
> proclivities. I happened to have started with IPFilter with Solaris and
> throughout Solaris years. Lately, on my Linux servers, I end up running
> ufw as lazy man's iptables cli frontend which is easy enough.
>
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?
>
> Also there is a lack of good interesting rule sets in the BSD realm. With
> Linux, there was even a iptables rule set to prevent heartbleed. If you use any
> of the firewalls, and have interesting or even optimized rule sets, I
> would really like to see them :)
>
> Regards,
>
pf has some advanced features which makes it more suitable for bigger and more complex networks.

pf advantages:
     - Operating system finger prints as rule condition
     - Dynamic interface addresses (interface name as rule src, dst and NAT-to address)
     - IP address range
     - Redirecting reply packets (reply-to)
     - More state limiting options to resist DoS (max-src-nodes, max-src-states, max-src-conn, max-src-conn-rate)
     - Simpler NAT syntax
     - ICMP for ICMP/TCP/UDP NAT
     - More load-share NAT options (round-robin, source hash, ...)
     - Full packet logging via pflog pseudo interface
- Rule labels
     - More control via CLI (pfctl)
     - pftop
     - Active-active failover (pfsync)
     - Syn proxy

see pf.conf(5) man page for details.

ipfw advantages:
        - MAC (L2) type/src/dst filtering (although very restricted, i.e., you may only specify a single MAC address as src)
        - Complex protocol NAT (e.g., PPTP, SCTP, FTP, ...)

-- 

Best regards.
Hooman Fazaeli

More information about the freebsd-stable mailing list