Which firewall product is best?

[jubutld]

Hello

I need to setup my firewall and am wondering which product do people think is the best. I welcome your opinions.

Thanks

 

[graudeejs]

The one, that works best for you.

I like ipfw because how you can write dynamic scripts, but it can suck with IPv6.

pf is old, but in FreeBSD 9 it will be updated to newer version.

ipf - Never tried

 

[phoenix]

Search the forums. This topic comes up a couple of times a year, and we have several threads the cover the pro/cons of each packet filter.

The "best" packet filter is the one you know how to configure and monitor.

 

[Harikrishnan]

I have used pf, ipf, ipfw.

According to me ipf is the best. It's very useful when you use a script to add or remove rules. There is no lock out issue for ipf.

pf is good and has powerful features and can have a lot of options. It's handy when you are blocking a medium DDOS. It supports more rules than ipf. But the problem is lock out issue. You can easily get locked out and the pf may block all including local LAN if there is any problem in the rule set. So it's very difficult to automate rule adding with scripts.

We used to issue screen and sleep when loading pf rules.

Like

$ pfctl -f /etc/pf.conf;sleep 10;pfctl -F rules

ipfw is OK. We can add rules with scripts. No lockout issue, but overall low performance than ipf.

 

[RusDyr]

Harikrishnan, we also use pf, with ipfw. And I should to say that there is absolutely no problem to automate pf loading, read the man pfctl():

-n Do not actually load rules, just parse them.

Moreover, there is no need to load whole pf.conf when you just need to add/remove some rules - it has a bunch of options: you can load only nat/options/rules/tables etc, or you can use indepent "anchors", or even merge new with old one.

ipfw is OK. We can add rules with scripts. No lockout issue, but overall low performance than ipf.

I'm really have some doubts to that. I think, it's already outdated and stale project. For example, in past 4(four) years the only differences in libipf are:

--- src/sbin/ipf/libipf/Makefile	2008/10/02 02:57:24	1.2.2.2.4.1
+++ src/sbin/ipf/libipf/Makefile	2012/03/03 06:15:13	1.7.10.1.8.1
@@ -1,4 +1,4 @@
-#	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sbin/ipf/libipf/Makefile,v 1.2.2.2.4.1 2008/10/02 02:57:24 kensmith Exp $
+#	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sbin/ipf/libipf/Makefile,v 1.7.10.1.8.1 2012/03/03 06:15:13 kensmith Exp $
 
 LIB=		ipf
 INTERNALLIB=
@@ -23,7 +23,7 @@ SRCS=		addicmp.c addipopt.c alist_free.c
 		printportcmp.c printproto.c printsbuf.c printstate.c \
 		printtqtable.c printtunable.c remove_hash.c remove_hashnode.c \
 		remove_pool.c remove_poolnode.c resetlexer.c rwlock_emul.c \
-		tcp_flags.c tcpflags.c v6ionames.c v6optvalue.c \
+		tcp_flags.c tcpflags.c tcpoptnames.c v6ionames.c v6optvalue.c \
 		var.c verbose.c
 
 .include <bsd.lib.mk>

The other files of ipfilter also seem abandoned.

So I would prefer ipfw (especially brilliant with dummynet) and, less, pf (great dynamic rules and easy managed).

 

[Rudy]

Doing NAT on your firewall? Stay away from ipnat / ipf (here in 2012) -- it is old and will crash your box under load with a Fatal 12! Use ifpw (and the ipfw_nat module)!