On 5/20/2014 12:09 AM, Lucius Rizzo wrote: > I have been looking into articles comparing firewalls that come with > FreeBSD. There isn't much recent info on the net. I am currently using > FreeBSD 10 with IPFilter. > > Firewalls are like MTA servers I find. Each person has their own > proclivities. I happened to have started with IPFilter with Solaris and > throughout Solaris years. Lately, on my Linux servers, I end up running > ufw as lazy man's iptables cli frontend which is easy enough. > > Ultimately, outside configuration differences all firewalls are essentially > serve the same purpose but I wonder what is your favorite and why? If > you were to run FreeBSD in production, which of the three would you > choose? IPFilter, PF or IPFW? I use ipfw on servers and end devices when I need a mitigation-oriented firewall. It makes simple work of putting up notch filters, but its syntax gets a bit ugly if you're doing up a router configuration. I build routers from pf on OpenBSD and Intel hardware. $1k of PC and I can shove gigabits through full BGP tables and big sets of ACLs all day long. Something comparable from Cisco would have a five- or six-digit price tag and leave you unsatisfied. For lighter workloads, Ubiquiti's EdgeRouter family is lovely and it gets you the benefit of a well-known interface if you're handing off the admin hat. I abandon FreeBSD in this use case--ipfw syntax isn't clean enough and pf's IPv6 support is broken. I haven't touched ipf in over a decade and don't miss it at all. _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"