Other Why FreeBSD has three firewalls?


New Member

Messages: 10

I'm curious why FreeBSD has three firewalls. I mean pf, ipfw and ipfilter. It's against the KISS rule. As sysadmin, I'll have to learn three different firewalls than focus on the one iptables as in Linux. Isn't one firewall in FreeBSD enough?

PS. If I have posted this topic in the wrong forum, please move it.


Son of Beastie

Reaction score: 1,071
Messages: 2,980

Because FreeBSD doesn't dictate what you will use like Linux does and gives you the choice to use which one you want to use. You don't need to learn three firewalls, just the one you want.



Reaction score: 36
Messages: 47

IPFW first appeared in 2.0 and is FreeBSD's native firewall.
IPF was available in 2.2.
PF first appeared in 5.0.

Why do you think you need to learn all three? If you are the sysadmin, it would be your decision on which to use.

PF has diverged greatly from OpenBSD who constantly change it, along with syntax and it has been developed to better handle multi-core processors on FreeBSD.

Each have their preference of which to use. I started using ipfilter on FreeBSD, then turned to OpenBSD using PF until that machine died and OpenBSD was using a new syntax that I didn't want to relearn, so I returned to running ipfilter on FreeBSD. I have also thought of moving my firewall to SmartOS and it uses ipfilter too, so I can use the same rules. SmartOS also has fwadm which is their own firewall for VM's.

Now if I was running everything on Plan 9, then I'd just hookup my cable modem to a Plan 9 CPU machine and have a separate Plan 9 auth server, import the external interface from the CPU server onto the internal machines and nothing could get in, but all traffic could get out. No NAT is necessary. But I need access to the internet for my Windows machine and TV so I can watch Hulu and Netflix. So Plan 9 as my proxy out won't work. But they could bang on it all day and everything inside would be secure.

Then again, maybe I can use OS/2 as my firewall since it has built-in NAT and TCP/IP filtering. Or perhaps use OS/2 with the Injoy firewall.

Solaris 11.3 offers a ported PF and also still has ipfilter.

Does iptables do stateful inspection? It didn't used to unless they changed that. Not sure why you have to invoke Linux, because your question didn't require the reference.

As I said, everyone has their reason for which they choose, and what they choose to run it on, and more options usually isn't a bad thing.


Son of Beastie

Reaction score: 1,671
Messages: 3,512

And in addition to the above...

I'm curious why FreeBSD has three firewalls.
This is just my take on it but: "To make it easier to use FreeBSD when you're already used to another Unix-like system.".

I mean pf, ipfw and ipfilter. It's against the KISS rule.
Actually it's in full compliance, I'd even argue that it actually honors the rule because it's a lot more work for the developers to maintain 3 different firewalls while it can really help people to migrate to (or simply maintain) FreeBSD. I speak from personal experience; I've used ipfilter for many years on Sun Solaris and when I eventually made the jump to FreeBSD I could rely on one solid assurance: no matter how much I might mess up my systems local security, I could always count on my firewall to keep out all bad stuff. Because I didn't have to re-learn anything.

As sysadmin, I'll have to learn three different firewalls than focus on the one iptables as in Linux. Isn't one firewall in FreeBSD enough?
Do yourself a favor: next time you criticize something try to make sure you actually know what you're talking about?

In this case: check up on Chapter 30 of the FreeBSD handbook:

FreeBSD provides multiple firewalls in order to meet the different requirements and preferences for a wide variety of users. Each user should evaluate which firewall best meets their needs.

It even answered your original question.



Reaction score: 367
Messages: 1,014

FreeBSD definitely needs IPFW and PF. These two can be used together without problem (IPFW for a quick canned firewall, and PF for more customization). PF has documentation and a reputation from OpenBSD. IPFW is FreeBSD's native firewall with different strengths.

There was talk about removing IPF from a future FreeBSD release. It was in, because Juniper contributed to FreeBSD. There aren't many threads about IPF, but it should be a choice, even if through ports (maybe baseports). My src.conf leaves IPF out. In one way, I think firewalls in base should be limited to two for simplicity, but in another sense, I believe that IPF shouldn't be left out of base.

There's two things that confused me in the past, that the names have a combination of P and F, and if I'm not mistaken, the book BSD Toolbox, had an error in it about turning on firewalls through rc.conf. Setting it up according to that book didn't work, it worked without a hitch setting it up after analyzing information from different resources.


Staff member

Reaction score: 6,961
Messages: 28,942

IPF(ilter) is being fixed, cleaned and/or updated. Can't remember the details but noticed a bunch of commits on 12.0-STABLE for it.


Well-Known Member

Reaction score: 223
Messages: 253

As others have mentioned, you don't have to learn all three firewalls. In most cases you use just one of them (although it is possible to combine them). It's your choice.

IPFW is FreeBSD's native firewall. It had support for some FreeBSD features before the others did (e.g. filtering by jail).
IPF is a portable firewall. It was very popular on Solaris, for example, so it was convenient for people coming from Solaris to FreeBSD.
PF was developed by OpenBSD, based on IPF, so it they have some similarities.

Personally I prefer IPFW because it has some features that the other's don't have. Also, I like the way rules are organized with numbers (like good old BASIC), so you can easily insert new rules between existing ones, and you can jump between them like in a script or programming language, have common blocks accessed from multiple rules, and so on. The traffic shaping feature of IPFW is very powerful, too.


New Member

Messages: 2

There are many configs out there so no need to learn all three firewalls only some basic elements and a configuration you can find somewhere ,i.e.
ext_if="em0" # change to your network interface name

service_ports="{ 22, 25, 80, 53,  443, 3306, 8080 }"
application_ports="{ 8332, 8333, 6688, 6689, 55001 } # change to ports which is needed by your apps
table <trusted_hosts> const { my.ip.one.address, my.ip.two.adress,, } # change my ip adress to your ip adress
table <abusive_hosts>

# options
set block-policy drop
set loginterface $ext_if
set skip on lo

scrub on $ext_if reassemble tcp no-df random-id

antispoof quick for { lo0 $ext_if }

block in

pass out all keep state
pass out on $ext_if all modulate state

pass in quick from <trusted_hosts>
block in quick from <abusive_hosts>

pass in inet proto icmp all icmp-type echoreq

pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 25/5, overload <abusive_hosts> flush)

pass in on $ext_if proto {tcp,udp} to any port $application_ports flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 25/5, overload <abusive_hosts> flush)

##ban some ip :: pfctl -t abusive_hosts -T add
##remove ban  :: pfctl -t abusive_hosts -T delete
##remove all banned ips :: pfctl -t abusive_hosts -T  flush

BSD User

New Member

Reaction score: 7
Messages: 15

It’s always good to have a choice, even Mac OS X includes 2 firewalls: PF & Application Firewall :)