I have only used IPFW and PF at a time where I was trying to buiild a gateway
I began with IPFW but I have switched quickly to PF for the following reasons :
- I find the last matching rule much more interesting
- I like the powerful system of table. With these tables I have mapped the main addresses per group (Multicast, IPv6 public block etc ...)
- I like the anchors and the dynamic tables
- I like the tagging rule option (but it would be great if tags could survive in a local network across several devices running PF)
This is quite a long time I have not used IPFW but what I remember about it :
- you can filter per user
- you can easily filter per Mac Address (It seems to be possible with PF but at an other level, with ifconfig, so less flexible)
- And the main thing.... IPFW is the sole firewall capable of running in FreeBSD jail, so if you create a complex system jail, and affect his own firewall, this can simplify firewall ruling on the host level by delegating subfiltering to another firewall
- perhaps PF is a little less stable on FreeBSD as IPFW.
I would say, IPFW is good and enough for Desktop computer, it is simple and efficient.
Pf is a little more complex but when you want to build a gateway with a restrictive philosophy (so banning all per default, authorizing per rules, which needs a big job to identify and classify all the possible traffic and establish who have the right to to what), you must switch to Packet filter.
IPFW can also do the job, but with less flexibility and so with a huge set of rule to write compared to PF, but IPFW suffices if you create a more classic gateway less restrictive as : allowing all per default, banning traffic per rules
One thing that is still missing in *nix firewall is the possibility to fillter by "process location".
For example, Google Chrome experiments a new HTTP protocol over UDP with Google Quic, you need to authorize outgoing traffic to some google servers, and you must also authorize an incoming traffic.
Filtering per process identified by the location on drive could permit to apply the rule only to Chrome, not taking the risk to open too widely the port, what I do very easily on a Windows Desktop computer with Comodo.
On a FreeBSD workstation with PF, I will be forced to widely open the non standard UDP ports 443.
But fortunately I managed to find the Google network mask linked to Quic protocol servers, so I can limit the traffic to this subnetworks owned by Google
One day on a Linux machine I will probably look at IPTABLE just for curiosity.