In general, what are the important differences between
pf
, ipfw
, and ipfilter
? Why would one choose one of them over the others? pf
, ipfw
, and ipfilter
? Why would one choose one of them over the others?You should know that PF is stuck for years now on FreeBSD while further development has taken place on OpenBSD only.IPFilter and PF are quite similar in syntax and both do the same job on paper. However, IPFilter hasn't seen that much development and improvements lately on FreeBSD so the selection between those two would be PF.
You should know that PF is stuck for years now on FreeBSD while further development has taken place on OpenBSD only.
My apologies. I should have noted that I had already read that chapter, and was looking for aspects that weren't discussed there. That would have saved you the trouble. (I know that I like it when original posters say what they've already read.)I think this will help... Chapter 30 Firewalls
You should know that PF is stuck for years now on FreeBSD while further development has taken place on OpenBSD only.
See https://lists.freebsd.org/pipermail/freebsd-current/2014-July/051234.html
Beware that IPv6 is fairly broken in pf and from what I've gathered regarding pf's syntax it hasn't been updated because no one has followed upstream. The major issue right now is that it has diverged too much from OpenBSD which makes updating troublesome. I know there has been some talk about bringing npf over from NetBSD which supposedly is quite portable and in very active development. On the plus side, syntax is very similar to pf.
//Danne
https://www.mail-archive.com/freebsd-pf@freebsd.org/msg06375.html (a few notes)
https://redmine.pfsense.org/issues/2762 (mentioned earlier)
etc
The list is long unfortunately and there's more in the mailinglists for those who want to dig a bit further.
//Danne
You meant to say FreeBSD version of PF has broken IPv6. As we know there is nothing wrong with upstreamBeware that IPv6 is fairly broken in pf
It works fine for most part but any kind of NAT on IPv6 does not work because the rewritten packets will have invalid checksums and are dropped.
Before anyone jumps in a says that NAT is never needed with IPv6, think again. How are you going to get an FTP proxy working on IPv6 without NAT?
You would think those who use it for real would very quickly run to into the showstoppers if there were any major ones? The reality is that PF with IPv6 does work well enough and the issues mentioned are not major enough to prevent it from use, not in the usability nor security sense.
You meant to say FreeBSD version of PF has broken IPv6. As we know there is nothing wrong with upstream
@OP As a rule of the thumb if you need PF run OpenBSD unless you are dealing with 20 Gigabit and 50 Gigabit networks. In that case OpenBSD is working progress and currently can't handle those network speeds.
If you use FreeBSD use the native firewall IPFW unless you are very familiar with PF (like me) and not using FreeBSD as perimeter firewall.
One of the FreeBSD mailing lists had a discussion about this in the very recent past (maybe November, October at the earliest).
Going from memory:
- IPFW is under the most active development, and getting new features on an almost weekly basis.
- PF is at a crossroads and there's discussion and arguments around what to do with it (unfortunately, there's a lack of developers to do any of this work):
- scrap all the SMP work, import the latest PF, run it as a single-threaded packet filter, and keep it up-to-date with OpenBSD PF
- keep the current config file format, and just manually add the missing features
- try to update PF to match the features and config file format from OpenBSD without breaking the SMP support and just support it as a complete fork from OpenBSD PF
- Colin Percival and one or two other developers are working on IPF. Don't remember the details, but there were some commits from them recently.
People having chosen PF as their firewall might be happy for that time starting to learn PF and using it for a while thereafter. Usually they get stuck with PF at this point, refusing to learn another firewall syntax/concept. For my point of view it is essential for a starter to do the right decision at an very early stage. IMHO choosing Packet Filter PF for FreeBSD might be the wrong decision, if you do not want to be caught on the wrong leg some time after.
Well, that's what I found as "shared experience" in your posting. But does it enlighten anyone?
For the rest you are talking about yourself.
And you made a decision suiting your personal needs, which has not been criticized.
gkontos
Now as you cannot add more of your "experience" you switch from arguments to personal and narcissistic bashing. I could have called your output (also elsewhere) bullshit too, but I did not for preferring staying polite.
You are strongly encouraged to do so or this thread will be closed soon.I suggest that we ignore each other
That is never going to happen. BSDs (Free, DragonFly, Net, and Open) are not Linux distros. They are separate OSs originating from the same 4.4 BSD light with very different set of objectives and code base which can't be reconciled.
Please do not close this thread yet. I am currently absorbing much of the conversation and cited outside resources, and suspect I'll have something more substantive to say within a few days. It's not true that I've gotten everything I needed to know within the first few replies. Much of the rest has been very, very helpful.You are strongly encouraged to do so or this thread will be closed soon.