firewall on FreeBSD

Paul Schmehl pauls at
Sat Jun 25 03:39:06 GMT 2005

--On June 24, 2005 5:31:13 PM +0100 martin at wrote:

> On Friday 24 June 2005 15:31, fbsd_user wrote:
>> Which firewall you select to use should be based on your level of
>> understanding of how information is moved across the internet.
>> Ipfilter is best suited for people who are just learning about
>> firewalling. PF is a little more automated and the rules are very
>> close to IPF's.
>> IPFW is for the advanced firewall users who have expert
>> understanding of the internet. All 3 firewalls support stateful
>> rules and are available in the 5.4 release. Best advice is start
>> with Ipfilter and when you find out that you have needs which are
>> not met by Ipfilter then move over to IPFW.
> Is this right?

If it is, then I'm a lot smarter than I give myself credit for.  The first 
firewall I ever used was ipchains.  The I used iptables, but I never 
learned much about either because Linux obscures the config (unless you're 
doing something "fancy", you can run "setup" on the cli, click a few check 
boxes and you're done.

When I decided to switch a server over to FBSD, I had to read the man page 
to understand how pf worked, because there *was* no "setup" to run.  I've 
been using pf for a few years now, and I've never had problems 
understanding the syntax or how it works (but I also never do NAT, so that 
might be the reason it seems easy to me.)

 I started off using IPFW, and found it no harder or easier
> than  ipfilter, which I am using now. Can't remember the reason I changed
> to  ipfilter, think it might have something to do with being easier to
> use with  ipnat, but I am pretty happy with it. Is there anything that
> ipfw does better  than ipfilter to make it preferable?
The only thing I would say about firewalls is, know what you're doing and 
do it at the console.  There's nothing like having to get dressed and drive 
40 miles to fix a box because you screwed up the firewall config will 
working remotely to impress upon you the need to work at the console. :-)

Personally, I like the "quick" keyword of the OpenBSD firewall, (but not 
enough to bother installing it.)

Paul Schmehl (pauls at
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member

More information about the freebsd-questions mailing list