firewall on FreeBSD

Giorgos Keramidas keramida at
Fri Jun 24 20:56:52 GMT 2005

On 2005-06-24 10:31, fbsd_user <fbsd_user at> wrote:
> Which firewall you select to use should be based on your level of
> understanding of how information is moved across the internet.
> Ipfilter is best suited for people who are just learning about
> firewalling. PF is a little more automated and the rules are very
> close to IPF's.


> IPFW is for the advanced firewall users who have expert understanding
> of the internet.

Blatantly false.

> All 3 firewalls support stateful rules and are available in the 5.4
> release. Best advice is start with Ipfilter and when you find out that
> you have needs which are not met by Ipfilter then move over to IPFW.

IPFW or PF is fine for starting too.

The choise of the "best" firewall is, these days, more often than not an
issue of which one matches the specific application and the taste of the
one who is going to set it up, i.e.

  * DUMMYNET is a very nice bandwidth limiting & shaping tool, which may
    some times lead to choosing IPFW.

  * On the other hand, PF/ALTQ may be used to do similar things, so some
    users will obviously prefer this set of tools for other reasons (for
    instance, because the like the ruleset style better).

  * IP Filter, is almost obsoleted by PF on FreeBSD, but it's still one
    of the most portable firewalls out there (I use it on Solaris all
    the time, for example).

There isn't a "best firewall for all cases".  They all have their
respective strengths and/or weaknesses.

=== To the original poster ===
I say, try them all out and choose the one _YOU_ prefer, for the reasons
that are important in _YOUR_ setup.

- Giorgos

More information about the freebsd-questions mailing list