What is your favourite/best firewall on FreeBSD and why?
Peter Wemm
peter at wemm.org
Fri May 23 21:11:10 UTC 2014
On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote:
> On 23 May 2014, at 10:00, G. Paul Ziemba <pz-freebsd-stable at ziemba.us> wrote:
>
>> Lucius.Rizzo at The.ie (Lucius Rizzo) writes:
>>
>>> Ultimately, outside configuration differences all firewalls are essentially
>>> serve the same purpose but I wonder what is your favorite and why? If
>>> you were to run FreeBSD in production, which of the three would you
>>> choose? IPFilter, PF or IPFW?
>> I switched to pf about seven months ago as I began to need to
>> manage bandwidth for specific classes of traffic (for example,
>> prevent outbound mailing list email from saturating the link
>> and reserve some bandwidth for interactive use).
>>
>> The syntax is very close and the NAT configuration is simpler in pf.
> Does the pfsync handle NAT tables.
> Could I use it to build a resilient carrier grade NAT solution?
>
Yes, pfsync includes NAT. While we don't use NAT in the freebsd.org
cluster, we do use it on certain ipv6+rfc1918 machines and it does
handle failover / recovery transparently. We use it with carp.
Be aware that things can get a little twitchy if your switches have an
extended link-up periods. Our Juniper EX switches and ethernet
interfaces have a significant delay between 'ifconfig up' and link
established. This required some tweaks on the freebsd.org cluster but
nothing unmanageable. We probably should boot them into a hold-down
state while things stabilize and but we've taken the quick way out
rather than doing it the ideal way.
-Peter
More information about the freebsd-stable
mailing list