freebsd stable - May 2014 - What is your favourite/best firewall on FreeBSD and why?

I have been looking into articles comparing firewalls that come with
FreeBSD. There isn't much recent info on the net. I am currently using 
FreeBSD 10 with IPFilter.

Firewalls are like MTA servers I find. Each person has their own
proclivities. I happened to have started with IPFilter with Solaris and
throughout Solaris years. Lately, on my Linux servers, I end up running
ufw as lazy man's iptables cli frontend which is easy enough.

Ultimately, outside configuration differences all firewalls are essentially
serve the same purpose but I wonder what is your favorite and why? If
you were to run FreeBSD in production, which of the three would you
choose? IPFilter, PF or IPFW?

Also there is a lack of good interesting rule sets in the BSD realm. With
Linux, there was even a iptables rule set to prevent heartbleed. If you use any
of the firewalls, and have interesting or even optimized rule sets, I
would really like to see them :)

Regards,

-- 

|     _o    _ |_)o_ _  _  
|_|_|(_||_|_> | \|/_/_(_) - Lucius.Tel
--------------------------------------


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CAUTION: Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal or grammatical
use and may be ignored. No animals were harmed in the transmission of this
email, although the kelpie next door is living on borrowed time, let me tell
you. Those of you with an overwhelming fear of the unknown will be gratified to
learn that there is no hidden message revealed by reading this warning
backwards, so just ignore that Alert Notice from Microsoft.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Hi, all,

Am 20.05.2014 um 09:09 schrieb Lucius Rizzo <Lucius.Rizzo at
The.ie>:
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?
IPFW since it was first introduced. It's the standard one, works, and I
don't miss anything.

Kind regards
Patrick
-- 
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info at punkt.de       http://www.punkt.de
Gf: J?rgen Egeling      AG Mannheim 108285

On 5/20/2014 11:39 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.
>
> Firewalls are like MTA servers I find. Each person has their own
> proclivities. I happened to have started with IPFilter with Solaris and
> throughout Solaris years. Lately, on my Linux servers, I end up running
> ufw as lazy man's iptables cli frontend which is easy enough.
>
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?
>
> Also there is a lack of good interesting rule sets in the BSD realm. With
> Linux, there was even a iptables rule set to prevent heartbleed. If you use
any
> of the firewalls, and have interesting or even optimized rule sets, I
> would really like to see them :)
>
> Regards,
>
pf has some advanced features which makes it more suitable for bigger and more
complex networks.

pf advantages:
     - Operating system finger prints as rule condition
     - Dynamic interface addresses (interface name as rule src, dst and NAT-to
address)
     - IP address range
     - Redirecting reply packets (reply-to)
     - More state limiting options to resist DoS (max-src-nodes, max-src-states,
max-src-conn, max-src-conn-rate)
     - Simpler NAT syntax
     - ICMP for ICMP/TCP/UDP NAT
     - More load-share NAT options (round-robin, source hash, ...)
     - Full packet logging via pflog pseudo interface
- Rule labels
     - More control via CLI (pfctl)
     - pftop
     - Active-active failover (pfsync)
     - Syn proxy

see pf.conf(5) man page for details.

ipfw advantages:
        - MAC (L2) type/src/dst filtering (although very restricted, i.e., you
may only specify a single MAC address as src)
        - Complex protocol NAT (e.g., PPTP, SCTP, FTP, ...)

-- 

Best regards.
Hooman Fazaeli

On Tue, 20 May 2014, Lucius Rizzo wrote:
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?
I started with IPFW and used it a long time.  Then I switched to PF, 
which has been easier to configure.  Certainly PF is what I would use 
for any new projects.

On 5/20/2014 3:09 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.
It depends. I will use ipfw or pf depending on the app. But I never use 
ipfilter as there is really no one maintaining it in FreeBSD.  Also, if 
you are using RELENG_10, using pf can better take advantage of multiple 
cores.

For stateful firewalls, pf is the way to go for me.  The rules are easy 
to manage in a simple text configuration file which makes it easier to 
maintain across reboots.  ipfw is good (for me) where speed is 
important, and very few rules are needed.  Also, if you want to do 
traffic shaping, dummynet+ipfw works well. The traffic shaping solutions 
for pf are not so good right now.

	---Mike

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

On 20.05.14 10:09, Lucius Rizzo wrote:
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?
Coming from BSD/OS, IPFW was my natural choice. Have been using it for 
many, many years.

But, as it turns our, for many years, it has an problem with table 
manipulation, that wasn't fixed, so for these applications I switched to PF.

I still prefer the IPFW style configuration and management though.

Daniel

Lucius.Rizzo at The.ie (Lucius Rizzo) writes:
>Ultimately, outside configuration differences all firewalls are essentially
>serve the same purpose but I wonder what is your favorite and why? If
>you were to run FreeBSD in production, which of the three would you
>choose? IPFilter, PF or IPFW?
I was a long-time user of ipfilter from its early days in the
1990's on Solaris. I started running it on FreeBSD in September 1999
(FreeBSD 3.2).

I switched to pf about seven months ago as I began to need to
manage bandwidth for specific classes of traffic (for example,
prevent outbound mailing list email from saturating the link
and reserve some bandwidth for interactive use).

The syntax is very close and the NAT configuration is simpler in pf.

Here are some of my reasons for switching:

1. Development activity. There seems to be almost no development
   of ipfilter for FreeBSD anymore. Beyond the drama last year
   about whether it would continue to be supported at all in FreeBSD,
   I'm not sure there is even any development of the base ipfilter
   now. The project web page (as linked from the FreeBSD Handbook
   as well as the Wikipedia page) seems to have disappeared.

2. Integrated queue configuration (enabling bandwidth management
   of selected traffic). This feature is not in ipfilter and
   is what drove my switch.

3. Integrated macro and subroutine support (the latter are
   referred to as "anchors"). It simplified my rule files a
   bit. Also, being able to reload rules at specific anchors
   simplified handling of my time-based rules.

I haven't checked recently, but I believe VIMAGE support for
FreeBSD's pf is still missing. There were some development
efforts a couple years ago but I never saw the patches get
added to the distributed FreeBSD. As a result I am using
VirtualBox VMs instead of jails for some of my internet-facing
services.
-- 
G. Paul Ziemba
FreeBSD unix:
 1:56AM  up 117 days,  2:55, 24 users, load averages: 1.49, 1.60, 1.60

On 5/20/14, Lucius Rizzo <Lucius.Rizzo at the.ie>
wrote:
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?
I use PF, though I've never tried IPFilter or IPFW. Years ago when I
was trying to decide between the three I remember finding a number of
good arguments in favor of using PF.
> Also there is a lack of good interesting rule sets in the BSD realm. With
> Linux, there was even a iptables rule set to prevent heartbleed. If you use
> any of the firewalls, and have interesting or even optimized rule sets, I
> would really like to see them :)
There are a handful of PF ruleset examples available online. I
gathered them, concatenated them, did some reading and made sure they
made sense for my use case, then applied them. They're on my other
machine though. I'll post them shortly.

On 5/20/2014 12:09 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.
>
> Firewalls are like MTA servers I find. Each person has their own
> proclivities. I happened to have started with IPFilter with Solaris and
> throughout Solaris years. Lately, on my Linux servers, I end up running
> ufw as lazy man's iptables cli frontend which is easy enough.
>
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?
I use ipfw on servers and end devices when I need a mitigation-oriented 
firewall.  It makes simple work of putting up notch filters, but its 
syntax gets a bit ugly if you're doing up a router configuration.

I build routers from pf on OpenBSD and Intel hardware.  $1k of PC and I 
can shove gigabits through full BGP tables and big sets of ACLs all day 
long.  Something comparable from Cisco would have a five- or six-digit 
price tag and leave you unsatisfied.  For lighter workloads, Ubiquiti's 
EdgeRouter family is lovely and it gets you the benefit of a well-known 
interface if you're handing off the admin hat.  I abandon FreeBSD in 
this use case--ipfw syntax isn't clean enough and pf's IPv6 support is 
broken.

I haven't touched ipf in over a decade and don't miss it at all.

On 5/20/14 12:09 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.
>
> Firewalls are like MTA servers I find. Each person has their own
> proclivities. I happened to have started with IPFilter with Solaris and
> throughout Solaris years. Lately, on my Linux servers, I end up running
> ufw as lazy man's iptables cli frontend which is easy enough.
>
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?
>
> Also there is a lack of good interesting rule sets in the BSD realm. With
> Linux, there was even a iptables rule set to prevent heartbleed. If you use
any
> of the firewalls, and have interesting or even optimized rule sets, I
> would really like to see them :)
>
> Regards,
>
I prefer IPFW because generally my configs are relatively simple and the 
rules just read naturally to me as opposed to the other systems.

It reads very easily and since I'm generally doing basic things it's 
nice not to have to think too hard about what I am trying to do.

-Alfred