What is the best firewall?

douglasfim

douglasfim

What is the best firewall?

wondered what the best firewall: IPFW, PF or IPF

what advantage of each, which is more advisable to use?

which one is in constant development and that will last a long time?

example:

equal ipchains Linux that is not used
 
douglasfim said:
What is the best firewall?
Click to expand...
That's highly subjective.

wondered what the best firewall: IPFW, PF or IPF
Click to expand...
Try them all, see which one you like.

what advantage of each, which is more advisable to use?
Click to expand...
Without knowing what your requirements are nobody will be able to answer this in any meaningful way.

which one is in constant development and that will last a long time?
Click to expand...
They all are.
 
pf is newer and has some very nice features. NAT is built in. IPFW is older but supposed to be somewhat/slightly faster, natd is separate.
 
douglasfim said:
I'm looking for some study
Click to expand...

While I strongly prefer pf(4) these days (mainly for ease of ruleset management), I'd argue that you will want to learn with something like ipfw(8) instead. It uses the far more common "first match wins" approach.

Be sure to read here: Chapter 30 Firewalls

And: if your network-fu no good, you're going to need to get up to speed before you can really understand packet filtering.
 
anomie said:
And: if your network-fu no good, you're going to need to get up to speed before you can really understand packet filtering.
Click to expand...
+1 on that.

Without even the most basic understanding of TCP/IP you will have a very hard time understanding anything a firewall does.
 
I heard tell that IPFW has a better filtering, but PF is more complete and that the IPF is easy and complete, so I'm very much in doubt

I intend to learn the three, but only the future, which is the most recommendable to start? I have knowledge in basic iptables, but I intend to study more systems FreeBSD
 
ipfw has kernel nat now, so in that mean pf is not better.
if you are going to study FreeBSD, than i advise IPFW, as IPF is at its end of time.
pf is more likely OpenBSD firewall and it is ported to FreeBSD so you won't be relly UP-TO-DATE with fixes and bugs.

but to be objective, the best firewall is the one you can configure to. so go ahead, give them all a try and decide.
 
I had already begun to study IPFW, but I saw that many were using the PF

I know nothing of the FP so I came here to ask

FreeBSD will continue using IPFW?
 
I started with IPFW, then used IPF and at last PF. For me PF is my favourite.
If you want to get more knowledge about PF try this book "The Book of PF".
But try yourself, check what you need and see if firewall you've chosen fill the bill.
 
wblock said:
pf is newer and has some very nice features. NAT is built in. IPFW is older but supposed to be somewhat/slightly faster, natd is separate.
Click to expand...

Incorrect. IPFW has supported in-kernel NAT for at least 2 major releases of FreeBSD. It was introduced around the time of FreeBSD 7.0.
 
douglasfim said:
FreeBSD will continue using IPFW?
Click to expand...

There are no plans to remove IPFW or PF from FreeBSD releases.

IPF may become deprecated in the future, as it's not always kept up-to-date on changes in FreeBSD, and has pretty much become replaced by PF.
 
douglasfim said:
What is the best firewall?
Click to expand...

That one that you know the best. :) If you are starting with 0 knowledge, then it all depends on which on has more/better documentation. And whether or not you can wrap your head around a last-match-wins ruleset (IPFW uses a first-match-wins ruleset; PF uses a last-match-wins ruleset with the option of making some rules final).

The other thing to keep in mind is that IPFW is developed on FreeBSD and is continuously updated as FreeBSD is updated. PF is developed on OpenBSD and upgraded with every OpenBSD release. Every now and then, PF is merged into FreeBSD. Meaning, PF in FreeBSD will always be a couple versions behind what's available on OpenBSD; but IPFW will always be the latest version.
 
hmmmm, interesting, I think I'll use IPFW, I already downloaded the OpenBSD when I install it I take a look at PF, but I intend to stay with FreeBSD, it meets all my needs

tips are welcome

thanks
 
phoenix said:
Incorrect. IPFW has supported in-kernel NAT for at least 2 major releases of FreeBSD. It was introduced around the time of FreeBSD 7.0.
Click to expand...

That would have been about the time I switched to pf, I guess.
 
IPFW is my favorite firewall for all the time what I'm using FreeBSD. I'm started with it and I'm happy with it so far. :)
A little bit of IPFW advocacy from me:

- IPFW is SMP aware and gives you better performance (PF is not so good in this area AFAIK)
- IPFW can be used with Netgraph! It makes you able to build amaizing things (PF can't)
- IPFW nat can pass FTP and GRE "by default" (PF nat have limitations)
- IPFW is developed and supported by FreeBSD team with FreeBSD design in mind
- IPFW have simple, human readable syntax what is easy to understand/remember/use

IMHO ;)
 
Hm, in the first place, the favorite firewall is "brain 2010" which is gonna be updated each year on a given date ;)

Second place is PF but generally I take more care of securing services that aren't filtered - e.g. HTTP server - than ignoring them just for having a firewall running.
 
From my experience, I would load both PF and IPFW until you find out which is best for your situation.
At a later stage you may find that you need traffic shaping from dummynet instead of altq
or some other such problem that would have to make you start from scratch.
Resist the urge to go with a pre-built like pfsense as it is quick to get running but you will probably have problems customizing it later.
 
You must log in or register to reply here.
Back
Top