Most wanted packet filter

NetAdmin daemon at foxchat.net
Wed Jul 20 17:24:19 GMT 2005 

On Wed, 2005-07-20 at 15:33 +0200, Max Laier wrote:
> On Wednesday 20 July 2005 14:37, Roger Grosswiler wrote:
> > > Roger Grosswiler wrote:
> > >>Hi,
> > >>
> > >>i would like to know, which "firewall" is most wanted under freebsd. is
> > >> it
> > >>ipfw or is it ipf?
> > >>
> > >>i imagine, both have their advantages, but i would like to try first the
> >
> > most used because of support - poor rookie, i :-D
> >
> > > Don't forget about the third one, called pf. ;)
> > > It's a hard question. What does matter is which of them is best the *for
> >
> > You*. As for me I use ipf and ipfw together. I think ipf is very easy to
> > configure but ipfw has more sophisticated features, for instance it can
> > be used for bandwith controlling via dummynet facility. As for pf, I
> > don't know it.
> >
> > > Cheers,
> > >
> > > Gábor Kövesdán
> >
> > Thanks Gabor,
> >
> > I thought so. What i read, i should prefer ipf. What i also would like to
> > know, whether there someting, the freebsd-world calls "standard"? I mean,
> > the title of this list is freebsd-ipfw ;-)
> 
> There is a list called freebsd-pf@ as well where you will find support for pf 
> related questions.
> 
> IMO you have to decide a couple of things:
> 
> 1) Which syntax is the most natural for you?
> Choices: IPFW vs. IPF/PF
> 
> 2) What do you want to achieve?
> Choices: Fast packet pushing with little sanity checks as usual on an ISP 
> router vs. High level of sanity checks while giving up some performance.
> IPFW provides for the first, PF for the later.  However, both can be 
> configured to provide high performance and both can be configured to provide 
> a high level of sanity checks - this reflects just what is the "natural" 
> configuration for the system.  PF can check some things that IPFW can't and 
> IPFW can provide pps-rates that PF will not get close to, but that are edge 
> cases you probably don't have to deal with.
> 
> Why not IPF?
> 1) It seems to be broken in RELENG_5 as several people report on 
> freebsd-stable@  There is an issue with SMP/PREEMPTION and no solution seems 
> to be worked on.
> 2) It's undermaintained (IMO)
> 3) It doesn't provide any benefit over PF
> 
> http://www.openbsd.org/faq/pf/index.html is a really good guide to get started 
> with PF, btw.
> 
> IMHO PF is the best firewall system available for protecting networks as the 
> only firewall between clients and the internet.
> 

How difficult is it to switch from IPFW2 to PF or use the two in
conjunction with one another and are there any good URL "how to" sites
with that information?

Regards,

Mark

More information about the freebsd-ipfw mailing list