How to choose between pf, ipfw, and ipfilter?

Oko
While I'm not a kernel hacker from what I understand at least npf uses something similar to netmap called rumpkernel(?) so it is supposedly quite portable.
//Danne
So you believe that OpenBSD team should/will abandoned 15 years of the work on PF and adopt new poorly tested NPF from NetBSD, a project which is on the life support (I mean NetBSD is on the life support). We must be leaving in the different Universes :)
 
Earlier I had said that I'd chosen pf because it was the first one I had tried and it seemed to fill my need (which was to allow access to the world, or just to the local network, or just to localhost, or to nothing, as a function of user ID, depending on the conscious choice of that user). But many useful comments in this thread, and outside resources cited by those comments, have persuaded me to look sideways at pf, growl defensively, and back away slowly. So then I looked at ipfw.

From a user standpoint, what a huge difference! The rules have rule numbers! The rules are addressible! I don't need to rewrite a changed config file, after perhaps parsing for outdated rules and removing those lines. All I need to do is map user ID's to rule numbers (a trivial exercise) and issue one ipfw command (or maybe two), and I'm done.

For future flexibility, it would have been nice to have the maximum rule number be 2^31-1, not 2^16-1, but that's minor.
 
As per my suggestion to everyone who ask. Try them all and see which one suits you best. Unless you you are looking for something very sophisticated most solutions can work just fine.

The basic rule for a good firewall policy is, keep it clean and easy to read.
 
As per my suggestion to everyone who ask. Try them all and see which one suits you best.
A usable strategy, but not quite what happened here. I settled on one firewall, and it would have been good enough. What caused me to switch was all the helpful detail in this thread which I would not have found out by trying pf, except maybe months or years later when my use of a firewall might be more complex but I would have already been settled down with pf. Just from what I read here, pf seems to be like graywater which has been allowed to stand too long before reuse: it's still usable, but one holds one's nose. It was only after discovering this that I tried ifpw. Sometimes the "try everything and see which is best" just slows one down with life. It was the sniff test failure that led my to try ipfw, with their pretty darn good addressible rules.
 
I've gone back and forth between pf and ipfw and I eventually chose pf. The difference in rule syntax wasn't a big deal for me, but I find pf's logging superior. Maybe I'm doing something stupid, but with ipfw if I set net.inet.ip.fw.verbose_limit I eventually see very little. If I remove the limit, the logs become enormous. Yes, one could just log less rules, but the way pf only, by default, logs the initial connection and uses binary logs that you inspect with tcpdump allows for verbose but efficient logging. There are problems with pflog/tcpdump on FreeBSD, though. On OpenBSD, a tcpdump of the pflog can show the pid for locally generated traffic. pflog(4) sugggests FreeBSD's pflog also records this information, but it's not shown with tcpdump.
 
Back
Top