How to choose between pf, ipfw, and ipfilter?

IPFilter and PF are quite similar in syntax and both do the same job on paper. However, IPFilter hasn't seen that much development and improvements lately on FreeBSD so the selection between those two would be PF. IPFW is a much more advanced firewall that is capable for example layer 2 filtering that the other two can't do. IPFW is much harder to use because the rule formalism (meaning how the rules are evaluated at runtime and other finer details) is much cruder and requires much more attention to get your rules right.
 
I would add that being easy or hard to use may depend upon what you're doing. For simple firewalling, I find IPFW syntax a bit easier, that is simple allowing and denying. We use both, depending upon a) the situation and b) which admin configured the server. :)
 
You should know that PF is stuck for years now on FreeBSD while further development has taken place on OpenBSD only.

That is not quite accurate. Development has diverged between the two. FreeBSD's version has some features that the OpenBSD version lacks (SMP). Also, my (possibly mistaken) impression is that the OpenBSD version keeps making the syntax weirder with each version.

As for the original question:

PF for features, power, and clarity of firewall rules.
IPFW for slightly faster performance.
IPF... well, I've been told it is similar to Cisco firewalls.
 
You should know that PF is stuck for years now on FreeBSD while further development has taken place on OpenBSD only.

See https://lists.freebsd.org/pipermail/freebsd-current/2014-July/051234.html

That's not the whole story at all. The syntax used by FreeBSD PF is stuck in what it is now because of the POLA principle but there has been a whole bunch of work done on the internals to improve it and fix problems.

I wouldn't call the newer OpenBSD syntax weird. It actually makes a lot of sense because it ties together all processing rules that are applied to all packets regardless of state under the match directive, including nat, rdr and scrub.
 
Aaaand the winner, for me with my very simple requirements: PF, simply because it was the first one I tried and it was adequate for my need. My need was to be able, for a given user ID:
  • to allow the usual unrestricted access;
  • to allow access to only 10.0.0.1/16 and 192.168.8.1/16 and 127.0.0.1/8;
  • to allow access to only 127.0.0.1/8; or
  • to allow access to nothing.
I've done a proof of concept! Yay! It doesn't work for user ID 0, but that's ok.

Now the only thing that remains is to write a setuid root utility which allows the user to specify the desired level of access for himself (or allow root to set it for any user ID, given that user ID on the command line). This is for users reading mail that might contain (a) trusted, or (b) suspicious links.
 
Beware that IPv6 is fairly broken in pf and from what I've gathered regarding pf's syntax it hasn't been updated because no one has followed upstream. The major issue right now is that it has diverged too much from OpenBSD which makes updating troublesome. I know there has been some talk about bringing npf over from NetBSD which supposedly is quite portable and in very active development. On the plus side, syntax is very similar to pf.
//Danne
 
Beware that IPv6 is fairly broken in pf and from what I've gathered regarding pf's syntax it hasn't been updated because no one has followed upstream. The major issue right now is that it has diverged too much from OpenBSD which makes updating troublesome. I know there has been some talk about bringing npf over from NetBSD which supposedly is quite portable and in very active development. On the plus side, syntax is very similar to pf.
//Danne

IPv6 works well enough for me on 10.1-RELEASE. I'm using a gif(4) tunnel from SixXS. The biggest missing features are rdrs (for a proxy for example) and handling of IPv6 fragments (https://en.wikipedia.org/wiki/IPv6_packet#Fragmentation) and those are being worked on at the moment in stable/10. Those are not exactly showstoppers under normal use of IPv6.
 
PF and IPv6 works fine on my dual stacked server (mail, web, dns) running FreeBSD 9.3-RELEASE. I am not using any tunnels because I have a /64 assigned to me.
 
https://www.mail-archive.com/freebsd-pf@freebsd.org/msg06375.html (a few notes)
https://redmine.pfsense.org/issues/2762 (mentioned earlier)
etc
The list is long unfortunately and there's more in the mailinglists for those who want to dig a bit further.
//Danne

Do you have any first hand experience with PF used with IPv6? You would think those who use it for real would very quickly run to into the showstoppers if there were any major ones? The reality is that PF with IPv6 does work well enough and the issues mentioned are not major enough to prevent it from use, not in the usability nor security sense.
 
Beware that IPv6 is fairly broken in pf
You meant to say FreeBSD version of PF has broken IPv6. As we know there is nothing wrong with upstream :)

@OP As a rule of the thumb if you need PF run OpenBSD unless you are dealing with 20 Gigabit and 50 Gigabit networks. In that case OpenBSD is working progress and currently can't handle those network speeds.

If you use FreeBSD use the native firewall IPFW unless you are very familiar with PF (like me) and not using FreeBSD as perimeter firewall.
IMHO PF has no future on FreeBSD unless we count those Apple laptops which FreeBSD developers like to use so much. Those (OS X) of course use PF as we know and much newer version than the one you can find on vanilla FreeBSD.
 
Nice entry reader: https://forums.freebsd.org/threads/freebsd-vs-openbsd-pf.12383/#post-73730
Thank you, Oko :)
kpa talking about PF earlier:
It works fine for most part but any kind of NAT on IPv6 does not work because the rewritten packets will have invalid checksums and are dropped.

Before anyone jumps in a says that NAT is never needed with IPv6, think again. How are you going to get an FTP proxy working on IPv6 without NAT?

You would think those who use it for real would very quickly run to into the showstoppers if there were any major ones? The reality is that PF with IPv6 does work well enough and the issues mentioned are not major enough to prevent it from use, not in the usability nor security sense.

IPv6 is much more complex than IPv4. Even experts still struggle configuring IPv6. Now from a pragmatic view, why would I want to use a product that is "good enough" for not beeing a "showstopper", and has other shortcomings (like lack of active development)? If I had a choice I'd prefer excellence over "good enough" wheresoever affordable. BTW is "showstopper" an adequate category regarding a security related firewall?

You meant to say FreeBSD version of PF has broken IPv6. As we know there is nothing wrong with upstream :)

@OP As a rule of the thumb if you need PF run OpenBSD unless you are dealing with 20 Gigabit and 50 Gigabit networks. In that case OpenBSD is working progress and currently can't handle those network speeds.

If you use FreeBSD use the native firewall IPFW unless you are very familiar with PF (like me) and not using FreeBSD as perimeter firewall.

Oko, just to reverse your semantics: If there were the possibility giving more than one thanks, you would get more on this posting, in meantime I use an older one from Mar 19, 2010 cause nothing has changed since. ;)

People having chosen PF as their firewall might be happy for that time starting to learn PF and using it for a while thereafter. Usually they get stuck with PF at this point, refusing to learn another firewall syntax/concept. For my point of view it is essential for a starter to do the right decision at an very early stage. IMHO choosing Packet Filter PF for FreeBSD might be the wrong decision, if you do not want to be caught on the wrong leg some time after.

To make up your minds there is:
http://lists.freebsd.org/pipermail/freebsd-current/2014-July/051229.html

and a very clear statement from phoenix a/o Dec 19, 2014 :
One of the FreeBSD mailing lists had a discussion about this in the very recent past (maybe November, October at the earliest).

Going from memory:
  • IPFW is under the most active development, and getting new features on an almost weekly basis.
  • PF is at a crossroads and there's discussion and arguments around what to do with it (unfortunately, there's a lack of developers to do any of this work):
    • scrap all the SMP work, import the latest PF, run it as a single-threaded packet filter, and keep it up-to-date with OpenBSD PF
    • keep the current config file format, and just manually add the missing features
    • try to update PF to match the features and config file format from OpenBSD without breaking the SMP support and just support it as a complete fork from OpenBSD PF
  • Colin Percival and one or two other developers are working on IPF. Don't remember the details, but there were some commits from them recently.
 
People having chosen PF as their firewall might be happy for that time starting to learn PF and using it for a while thereafter. Usually they get stuck with PF at this point, refusing to learn another firewall syntax/concept. For my point of view it is essential for a starter to do the right decision at an very early stage. IMHO choosing Packet Filter PF for FreeBSD might be the wrong decision, if you do not want to be caught on the wrong leg some time after.

I have worked as a firewall administrator in the past for a large multinational company, dealing with Banking transactions. I was dealing with 12 firewalls all in HA mode. Checkpoint, Cisco ASA & FWSM blades.
The bugs that we discovered on all platforms were tremendous. Given the nature of the business it was impossible to disrupt production, therefore patching/upgrading had to be scheduled off times, usually between 3 to 5 am Sundays.

That is all past now, fortunately and I don't have to deal anymore with stupid firewalls. That said, I can still write a policy in any type of firewall in under 10 minutes. I can also troubleshoot with ease connectivity issues.

And I choose PF for my dual stacked FreeBSD firewalls.

Thanks
 
gkontos

Nice opinion advertising PF and yourself. But does it help those selecting a firewall for FreeBSD?

phoenix's statement I cited above does.

Sharing my experiences does not mean that I am advertising myself. Obviously you misunderstood my intentions.

My point is choose whatever suits you best and keep it simple. There is no such thing as bug free stateful inspection. There is NO SUCH THING as a "best firewall" for FreeBSD.
 
Well, that's what I found as "shared experience" in your posting. But does it enlighten anyone?
For the rest you are talking about yourself.

And you made a decision suiting your personal needs, which has not been criticized.

Yes, I did speak as an expert in this field because of my experience. As a freelancer, I never advertise my "firewalling" skills because I choose to get involved in different fields.

The OP question has been answered thoroughly in the first posts.

I just think that your criteria for saying the PF is broken is based upon pure BS. Much like your answers in a similar thread regarding PCI.
 
gkontos
Now as you cannot add more of your "experience" you switch from arguments to personal and narcissistic bashing. I could have called your output (also elsewhere) bullshit too, but I did not for preferring staying polite.

Feel free to contact me, I can share some knowledge from my experiences to you at a reasonable price.
 
Oko
Yes, I meant FreeBSD's case.... Anyhow, I don't think npf (for now) supports IPv6 any better than our current version of pf but seeing active development is encouraging and I think all would benefit if we could unify firewalls between BSDs. That said, I wouldn't mind seeing ipfw using pf's syntax (new or old). ;-)
//Danne
 
Oko
I think all would benefit if we could unify firewalls between BSDs.
//Danne
That is never going to happen. BSDs (Free, DragonFly, Net, and Open) are not Linux distros. They are separate OSs originating from the same 4.4 BSD light with very different set of objectives and code base which can't be reconciled.

BTW people who like IPFW should look at new IPFWv3 implementation on DragonFly. Truly radical and original direction which uses the advantages of DragonFly kernel. "Original" IPFW on FreeBSD is going through the renaissance with new lead developer Luigi and co-workers. NPF if NetBSD is getting lots of love and is really original peace of work. It is probably the most interesting thing besides Xen 4.5 in the NetBSD 7.0 release.

Finally real OpenBSD version of PF and whole network stack for that matter are finally becoming multi-core capable and getting tests on 20 and 50 Gigabit networks.

These are good days for firewalls in BSD world.
 
Oko
While I'm not a kernel hacker from what I understand at least npf uses something similar to netmap called rumpkernel(?) so it is supposedly quite portable.
//Danne
 
You are strongly encouraged to do so or this thread will be closed soon.
Please do not close this thread yet. I am currently absorbing much of the conversation and cited outside resources, and suspect I'll have something more substantive to say within a few days. It's not true that I've gotten everything I needed to know within the first few replies. Much of the rest has been very, very helpful.
 
Back
Top