Solved common consensus on better firewall on FreeBSD 11?

[Chris Inacio]

I'm curious if there is any consensus about if ipfw or pf is a better firewall on FreeBSD 11 for general purpose? (Not trolling for a war here - brief look shows a bit of traffic for both.)

If not a consensus about which firewall overall, is there consensus on advantages to each?

 

[getopt]

The fact that this is your first post and you are mentioning only two firewalls suggests that you probably haven't read the FreeBSD Handbook.

Start reading https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

Everyone can talk about "better". But what is better may be a personal matter of taste.
You have the choice. But that means that you make up your mind about what suits best to your needs.

 

[SirDice]

"What's better" is a highly subjective question without a proper answer. At least not one without starting a religious war. What's right for me might royally screw you over. They're all good if that's what you're asking. After 15+ years of using FreeBSD I've switched often enough and I still haven't really settled on one thing or the other. Times change, usage changes, I change. What I like now I might hate later. Just try one, see what you like about it, or not. Then try another.

 

[Chris Inacio]

So I'm good with those answers as it is. I have used both and I have had a firewall running on FreeBSD for a few years. And I have looked at the handbook.

I know there is choice in FreeBSD which is good and all, but see paradox of choice.

So I think the answer is no, there isn't a consensus on <X> is generally the better choice except in these niche circumstances. And since last time I looked I settled on IPFW, for no spectacularly strong reason, I'll just stick with it.

Thanks all.

 

[sidetone]

I use IPFW's canned workstation setting. Then I use PF on top of that. There are hardly any mentions of IPF on FreeBSD's forums, which leads me to believe it is used by some, but its use isn't as popular.

 

[rufwoof]

I used this as a guide

Simple firewall for a desktop setup, where I allow https and http i.e. my /etc/rc.conf contains

firewall_enable="YES"
firewall_quiet="YES"
firewall_type="workstation"
firewall_myservices="http https"
firewall_allowservices="any"
firewall_logdeny="YES"

and after the initial edits I ran (as root)

service ipfw start

Which if my understanding is correct uses IPFW and has it auto start at each reboot.

Better for me, as it was simple. Bearing in mind my PC sits behind that internal (home) firewall which is behind a internal router's firewall which is behind my cable modem's firewall (used to connect to the internet via the internal router, but later the cable provider upgraded the connection by supplying a new dedicated cable modem). I connect via hard wired and the internal router has wireless disabled ... wireless is only available via the main cable modem's router. So in many respects that firewall is just a protection against other family members PC's that are hard wired to the same internal router (i.e. if they caught a virus that sought to migrate to other devices on the same LAN segment).

 

[sidetone]

My IPFW workstation setting allows http, https and many other commonly used desktop ports without adding it. Perhaps yours needs it, if it's a server, router, or gateway?

firewall_enable="YES"
firewall_type="workstation"

I also use service ipfw onerestart, instead of kldload/ kldunload, because using kldload will cause it to not load properly, then deny everything.

 

[Datapanic]

I use IPFW's canned workstation setting. Then I use PF on top of that. There are hardly any mentions of IPF on FreeBSD's forums, which leads me to believe it is used by some, but its use isn't as popular.

ipfilter's ipnat has bugs that started when ipf version 5 replaced version 4 when FreeBSD 10 came out. Some good reading about it here: https://forums.freebsd.org/threads/50618/

If you do not have any NAT going on, then you won't see this problem, however if you do, performance seriously degrades in a few days/hours depending on the amount of NAT traffic. I bit the bullet and switched to PF and actually like its feature better than IPF.

 

[diizzy]

In general I'd say that ipfw is the best if you consider overall performance and feature set, pf is my personal favorite (sane syntax and debugging) but it is slower although it does have some features that ipfw lacks and vice-versa. ipf(ilter) is still maintained but I would highly recommend you to migrate to pf and/or ipfw. I vaguely remember there was some ideas about porting npf (netbsd packet filter) to FreeBSD as it shouldn't diverge as much from upstream but I don't know the current status on that. Currently pf in upstream (OpenBSD) is much different compared to the one in FreeBSD making it tedious/troublesome to backport.

 

[Deleted member 30996]

Currently pf in upstream (OpenBSD) is much different compared to the one in FreeBSD making it tedious/troublesome to backport.

I know the implementation of the pf firewall is different in FreeBSD than OpenBSD but do not know the specifics. I use pf on my FreeBSD and OpenBSD boxen, with the same ruleset I use on FreeBSD, the only exception being 2 rules that aren't recognized due the syntax.

I've used a home brewed pfSense router that also used the pf firewall so that's what I'm familiar with and prefer.

 

[The.Silicon.Projects]

I have only used IPFW and PF at a time where I was trying to buiild a gateway

I began with IPFW but I have switched quickly to PF for the following reasons :

- I find the last matching rule much more interesting
- I like the powerful system of table. With these tables I have mapped the main addresses per group (Multicast, IPv6 public block etc ...)
- I like the anchors and the dynamic tables
- I like the tagging rule option (but it would be great if tags could survive in a local network across several devices running PF)

This is quite a long time I have not used IPFW but what I remember about it :
- you can filter per user
- you can easily filter per Mac Address (It seems to be possible with PF but at an other level, with ifconfig, so less flexible)
- And the main thing.... IPFW is the sole firewall capable of running in FreeBSD jail, so if you create a complex system jail, and affect his own firewall, this can simplify firewall ruling on the host level by delegating subfiltering to another firewall
- perhaps PF is a little less stable on FreeBSD as IPFW.

I would say, IPFW is good and enough for Desktop computer, it is simple and efficient.
Pf is a little more complex but when you want to build a gateway with a restrictive philosophy (so banning all per default, authorizing per rules, which needs a big job to identify and classify all the possible traffic and establish who have the right to to what), you must switch to Packet filter.

IPFW can also do the job, but with less flexibility and so with a huge set of rule to write compared to PF, but IPFW suffices if you create a more classic gateway less restrictive as : allowing all per default, banning traffic per rules

One thing that is still missing in *nix firewall is the possibility to fillter by "process location".
For example, Google Chrome experiments a new HTTP protocol over UDP with Google Quic, you need to authorize outgoing traffic to some google servers, and you must also authorize an incoming traffic.

Filtering per process identified by the location on drive could permit to apply the rule only to Chrome, not taking the risk to open too widely the port, what I do very easily on a Windows Desktop computer with Comodo.

On a FreeBSD workstation with PF, I will be forced to widely open the non standard UDP ports 443.

But fortunately I managed to find the Google network mask linked to Quic protocol servers, so I can limit the traffic to this subnetworks owned by Google

One day on a Linux machine I will probably look at IPTABLE just for curiosity.

 

[Deleted member 30996]

One thing that is still missing in *nix firewall is the possibility to fillter by "process location".
For example, Google Chrome experiments a new HTTP protocol over UDP with Google Quic, you need to authorize outgoing traffic to some google servers, and you must also authorize an incoming traffic.

Thanks for the mention of QUIC, I hadn't heard of it:

QUIC FAQ for Geeks

I can't see myself granting access to Google servers beyond SPI though. I don't even like allowing scripting for Google.

 

[Vadim_Mkk]

I would say, IPFW is good and enough for Desktop computer, it is simple and efficient.
Pf is a little more complex but when you want to build a gateway with a restrictive philosophy (so banning all per default, authorizing per rules, which needs a big job to identify and classify all the possible traffic and establish who have the right to to what), you must switch to Packet filter.

Wozzeck.Live, hello..
Now I think about choising of firewall type for FreeBSD 12.0 on my laptop for typical home using (I read M.W Lucas, who noted that more servers have high security level, but more workstations don't have enough sequirity lavel , laptop doesn't using how NAT router or gateway - it does Lincsys home wi-fi router or AP Wi-Fi from mibile) and seem me like PF.
Can you upload yuors pf.conf for example?

 

[bishnu]

I am using ipfilter since 10 years and its a great tool. It comes with ipnat. I am fine with ipfilter.

 

[Sergei_Shablovsky]

Google Chrome experiments a new HTTP protocol over UDP with Google Quic, you need to authorize outgoing traffic to some google servers, and you must also authorize an incoming traffic.

Filtering per process identified by the location on drive could permit to apply the rule only to Chrome, not taking the risk to open too widely the port, what I do very easily on a Windows Desktop computer with Comodo.

On a FreeBSD workstation with PF, I will be forced to widely open the non standard UDP ports 443.

But fortunately I managed to find the Google network mask linked to Quic protocol servers, so I can limit the traffic to this subnetworks owned by Google

Could You be so please to share here (or PM) this network masks?
Thank You a lot!