What is your favourite/best firewall on FreeBSD and why?

[Lucius Rizzo]

I have been looking into articles comparing firewalls that come with
FreeBSD. There isn't much recent info on the net. I am currently using
FreeBSD 10 with IPFilter.

Firewalls are like MTA servers I find. Each person has their own
proclivities. I happened to have started with IPFilter with Solaris and
throughout Solaris years. Lately, on my Linux servers, I end up running
ufw as lazy man's iptables cli frontend which is easy enough.

Ultimately, outside configuration differences all firewalls are essentially
serve the same purpose but I wonder what is your favorite and why? If
you were to run FreeBSD in production, which of the three would you
choose? IPFilter, PF or IPFW?

Also there is a lack of good interesting rule sets in the BSD realm. With
Linux, there was even a iptables rule set to prevent heartbleed. If you use any
of the firewalls, and have interesting or even optimized rule sets, I
would really like to see them :)

Regards,

--

| _o _ |_)o_ _ _
|_|_|(_||_|_> | \|/_/_(_) - Lucius.Tel
--------------------------------------


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CAUTION: Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal or grammatical
use and may be ignored. No animals were harmed in the transmission of this
email, although the kelpie next door is living on borrowed time, let me tell
you. Those of you with an overwhelming fear of the unknown will be gratified to
learn that there is no hidden message revealed by reading this warning
backwards, so just ignore that Alert Notice from Microsoft.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

_______________________________________________
freebsd...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stabl...@freebsd.org"

[Patrick M. Hausen]

Hi, all,

Am 20.05.2014 um 09:09 schrieb Lucius Rizzo <Lucius...@The.ie>:
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?

IPFW since it was first introduced. It's the standard one, works, and I
don't miss anything.

Kind regards
Patrick
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
in...@punkt.de http://www.punkt.de
Gf: J�rgen Egeling AG Mannheim 108285

[Andreas Nilsson]

On Wed, May 21, 2014 at 9:57 AM, Patrick M. Hausen <hau...@punkt.de> wrote:

> Hi, all,
>
> Am 20.05.2014 um 09:09 schrieb Lucius Rizzo <Lucius...@The.ie>:
> > Ultimately, outside configuration differences all firewalls are
> essentially
> > serve the same purpose but I wonder what is your favorite and why? If
> > you were to run FreeBSD in production, which of the three would you
> > choose? IPFilter, PF or IPFW?
>
> IPFW since it was first introduced. It's the standard one, works, and I
> don't miss anything.
>
> Kind regards
> Patrick
>

IPFW for me as well.

pf has nice features, but has a tendency to crash if one enables things
like vimage.

I haven't tried IPFilter in FreeBSD, I only tried it on opensolaris.

Best regards
Andreas

[k simon]

于 14-5-21 16:35, Rolf Nielsen 写道:
> IPFW for me too.


IPFW +1. Though it does not support nat pool until now:), and I never
used it for "keep-states".
PF is easy used, but it is hard to master for me. It's check packet
sequnce too strict and prevnt reuse src port in extreme load if you does
not be expert in adjust the timeouts. But pf's "scrub" and "reply-to" is
amazing, and syntax is easy to understand.
Pfsync+pfflowd is a good idea to implement netflow/ipfix probe. I think
it's have low overhead and better performance than ng_netflow because
you can install a pfflowd instance on a different box. But pfflowd is
outdated since FB 9 released.

Regards
Simon

[Hooman Fazaeli]

On 5/20/2014 11:39 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.
>
> Firewalls are like MTA servers I find. Each person has their own
> proclivities. I happened to have started with IPFilter with Solaris and
> throughout Solaris years. Lately, on my Linux servers, I end up running
> ufw as lazy man's iptables cli frontend which is easy enough.
>
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?
>
> Also there is a lack of good interesting rule sets in the BSD realm. With
> Linux, there was even a iptables rule set to prevent heartbleed. If you use any
> of the firewalls, and have interesting or even optimized rule sets, I
> would really like to see them :)
>
> Regards,
>

pf has some advanced features which makes it more suitable for bigger and more complex networks.

pf advantages:
- Operating system finger prints as rule condition
- Dynamic interface addresses (interface name as rule src, dst and NAT-to address)
- IP address range
- Redirecting reply packets (reply-to)
- More state limiting options to resist DoS (max-src-nodes, max-src-states, max-src-conn, max-src-conn-rate)
- Simpler NAT syntax
- ICMP for ICMP/TCP/UDP NAT
- More load-share NAT options (round-robin, source hash, ...)
- Full packet logging via pflog pseudo interface
- Rule labels
- More control via CLI (pfctl)
- pftop
- Active-active failover (pfsync)
- Syn proxy

see pf.conf(5) man page for details.

ipfw advantages:
- MAC (L2) type/src/dst filtering (although very restricted, i.e., you may only specify a single MAC address as src)
- Complex protocol NAT (e.g., PPTP, SCTP, FTP, ...)

--

Best regards.
Hooman Fazaeli

[Warren Block]

On Tue, 20 May 2014, Lucius Rizzo wrote:

> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?

I started with IPFW and used it a long time. Then I switched to PF,
which has been easier to configure. Certainly PF is what I would use
for any new projects.

[Mike Tancsa]

On 5/20/2014 3:09 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.

It depends. I will use ipfw or pf depending on the app. But I never use
ipfilter as there is really no one maintaining it in FreeBSD. Also, if
you are using RELENG_10, using pf can better take advantage of multiple
cores.

For stateful firewalls, pf is the way to go for me. The rules are easy
to manage in a simple text configuration file which makes it easier to
maintain across reboots. ipfw is good (for me) where speed is
important, and very few rules are needed. Also, if you want to do
traffic shaping, dummynet+ipfw works well. The traffic shaping solutions
for pf are not so good right now.

---Mike

--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mi...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/

[k simon]

I searched and found a project named ipfwng
(https://wiki.freebsd.org/IpfwNg). Is this project in progress ?


Regards
Simon

[Peter Wemm]

On 5/21/14, 11:38 AM, Mike Tancsa wrote:
> On 5/20/2014 3:09 AM, Lucius Rizzo wrote:
>> I have been looking into articles comparing firewalls that come with
>> FreeBSD. There isn't much recent info on the net. I am currently using
>> FreeBSD 10 with IPFilter.
>
> It depends. I will use ipfw or pf depending on the app. But I never
> use ipfilter as there is really no one maintaining it in FreeBSD.
> Also, if you are using RELENG_10, using pf can better take advantage
> of multiple cores.
>
> For stateful firewalls, pf is the way to go for me. The rules are
> easy to manage in a simple text configuration file which makes it
> easier to maintain across reboots. ipfw is good (for me) where speed
> is important, and very few rules are needed. Also, if you want to do
> traffic shaping, dummynet+ipfw works well. The traffic shaping
> solutions for pf are not so good right now.
>
> ---Mike
>

For what it's worth, we use FreeBSD-11 pf + carp on the FreeBSD.org
clusters. The main reasons:

1) state tracking. We write our rules to try and maximize the state
hits and minimize the rule searching.
2) tables and the rule optimizer
3) we use pairs of firewalls so we can do no-interruption upgrades /
failovers. pfsync makes this possible.
4) in kernel nat / scrubbing etc.
5) multi-core in 10.x+
6) atomic updates to rulesets

I can't stress the value of having the paired primary/backup firewalls
that are in sync.

We use them to filter between as many as 15 network segments in some of
our clusters. We don't trust vlan to vlan traffic and there's a
default-deny configuration for everything. We have 100-300 rules on
each site and see anywhere from 30:1 to 500:1 state hits vs rule
searches (ie: for every sequential rule lookup, there's as many as 500
hash hits on the state table)

The main source of pain we have is that the pf in FreeBSD doesn't do
ipv6 fragment processing. We had to work around this because we have
public facing DNS servers behind it and they have to deal with ipv6
fragments.

-Peter

[Daniel Kalchev]

On 20.05.14 10:09, Lucius Rizzo wrote:
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?

Coming from BSD/OS, IPFW was my natural choice. Have been using it for
many, many years.

But, as it turns our, for many years, it has an problem with table
manipulation, that wasn't fixed, so for these applications I switched to PF.

I still prefer the IPFW style configuration and management though.

Daniel

[Rainer Duffner]

Am Thu, 22 May 2014 15:50:23 -0700
schrieb Peter Wemm <pe...@wemm.org>:

> The main source of pain we have is that the pf in FreeBSD doesn't do
> ipv6 fragment processing. We had to work around this because we have
> public facing DNS servers behind it and they have to deal with ipv6
> fragments.

Hi,

can you elaborate on this a bit more (without exposing the security of
the FreeBSD.org cluster)?
The reason I ask is that we're going to implement a new DNS soon'ish
and it will also need to serve IPV6.
It's planned to run pf on the nameservers directly. At least until we
have a commercial firewall that actually does IPV6 better than pf ;-)

Or is there information on the web about this, somewhere?



Thanks in advance
Rainer

[G. Paul Ziemba]

Lucius...@The.ie (Lucius Rizzo) writes:

>Ultimately, outside configuration differences all firewalls are essentially
>serve the same purpose but I wonder what is your favorite and why? If
>you were to run FreeBSD in production, which of the three would you
>choose? IPFilter, PF or IPFW?

I was a long-time user of ipfilter from its early days in the
1990's on Solaris. I started running it on FreeBSD in September 1999
(FreeBSD 3.2).

I switched to pf about seven months ago as I began to need to
manage bandwidth for specific classes of traffic (for example,
prevent outbound mailing list email from saturating the link
and reserve some bandwidth for interactive use).

The syntax is very close and the NAT configuration is simpler in pf.

Here are some of my reasons for switching:

1. Development activity. There seems to be almost no development
of ipfilter for FreeBSD anymore. Beyond the drama last year
about whether it would continue to be supported at all in FreeBSD,
I'm not sure there is even any development of the base ipfilter
now. The project web page (as linked from the FreeBSD Handbook
as well as the Wikipedia page) seems to have disappeared.

2. Integrated queue configuration (enabling bandwidth management
of selected traffic). This feature is not in ipfilter and
is what drove my switch.

3. Integrated macro and subroutine support (the latter are
referred to as "anchors"). It simplified my rule files a
bit. Also, being able to reload rules at specific anchors
simplified handling of my time-based rules.

I haven't checked recently, but I believe VIMAGE support for
FreeBSD's pf is still missing. There were some development
efforts a couple years ago but I never saw the patches get
added to the distributed FreeBSD. As a result I am using
VirtualBox VMs instead of jails for some of my internet-facing
services.
--
G. Paul Ziemba
FreeBSD unix:
1:56AM up 117 days, 2:55, 24 users, load averages: 1.49, 1.60, 1.60

[Dr Josef Karthauser]

On 23 May 2014, at 10:00, G. Paul Ziemba <pz-freeb...@ziemba.us> wrote:

> Lucius...@The.ie (Lucius Rizzo) writes:
>
>> Ultimately, outside configuration differences all firewalls are essentially
>> serve the same purpose but I wonder what is your favorite and why? If
>> you were to run FreeBSD in production, which of the three would you
>> choose? IPFilter, PF or IPFW?
>

> I switched to pf about seven months ago as I began to need to
> manage bandwidth for specific classes of traffic (for example,
> prevent outbound mailing list email from saturating the link
> and reserve some bandwidth for interactive use).
>
> The syntax is very close and the NAT configuration is simpler in pf.

Does the pfsync handle NAT tables.
Could I use it to build a resilient carrier grade NAT solution?

Joe

[k simon]

Does FB exist some methods can log the ClientIp\NatIp\ServerIp tuple
when using ipfw nat ?

Regards
Simon

于 14-5-23 18:04, Dr Josef Karthauser 写道:

[Peter Wemm]

On 5/23/14, 1:24 AM, Rainer Duffner wrote:
> Am Thu, 22 May 2014 15:50:23 -0700
> schrieb Peter Wemm <pe...@wemm.org>:
>
>> The main source of pain we have is that the pf in FreeBSD doesn't do
>> ipv6 fragment processing. We had to work around this because we have
>> public facing DNS servers behind it and they have to deal with ipv6
>> fragments.
>
> Hi,
>
> can you elaborate on this a bit more (without exposing the security of
> the FreeBSD.org cluster)?
> The reason I ask is that we're going to implement a new DNS soon'ish
> and it will also need to serve IPV6.
> It's planned to run pf on the nameservers directly. At least until we
> have a commercial firewall that actually does IPV6 better than pf ;-)
>
> Or is there information on the web about this, somewhere?
>

IPv6 fragments are implemented quite differently to IPv4 - those can be
a real menace. IPv4 fragments are allowed to overlap each other and
rewrite previous fragments, including the header. IPv6 fragments are
not allowed to overlap and the IPv6 part of the header is outside the
fragment area. Unfortunately the TCP and UDP headers are included in
the fragment area.

How this affects DNS depends on whether you are doing resolving or
serving zones.

What we do for dns is use a dedicated IPv6 address that is exclusively
used for DNS and allow IPv6 fragments to this address. Since fragment
filtering can't specify ports, we effectively allow all-ports to this
address. I set this up so that it should not be a problem and routinely
check to make sure there's no unexpected listeners on that address.

For dns servers, this is mostly a non-issue. For resolvers
(particularly with things like Unbound), a large pool of stateless
incoming ports is used so it would probably be prudent to use an
exclusive address for this.

If pf could reassemble IPv6 fragments to examine ports and state for
these it'd be a lot nicer, but it doesn't in FreeBSD.

Beware, DNSSEC causes very large packets and makes fragmentation an issue.

-Peter

[Mike Tancsa]

On 5/22/2014 6:50 PM, Peter Wemm wrote:

> For what it's worth, we use FreeBSD-11 pf + carp on the FreeBSD.org
> clusters. The main reasons:

Hi Peter,
Just curious, but what is in 11 that is not in 10 that you decided to
deploy HEAD ? I thought all those features you listed are in RELENG_10 ?

---Mike


--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mi...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/

[Peter Wemm]

On 5/23/14, 10:18 AM, Mike Tancsa wrote:
> On 5/22/2014 6:50 PM, Peter Wemm wrote:
>
>> For what it's worth, we use FreeBSD-11 pf + carp on the FreeBSD.org
>> clusters. The main reasons:
>
> Hi Peter,
> Just curious, but what is in 11 that is not in 10 that you decided
> to deploy HEAD ? I thought all those features you listed are in
> RELENG_10 ?
>
> ---Mike
>
>

Two reasons.

1) back when 10.x was head, machines were set up to build from
svn.f.o/base/head and never quite made the switch to stable/10. I was
willing to do the extra work to make sure that 10-current was well
shaken out before it became 10-stable and that's why the cluster ran head.

2) for the most part there hasn't been any need to pull them back to
-stable. So long as we can handle it on clusteradm I felt that
deploying dogfood was a good way to find out if things are going off
into the weeds before it gets too far out of control. Having committers
aware that their changes are going to run live seems to make folks think
a little more carefully about committing destabilizing things.

In other words, 11.x is reliable enough that we can, so we are. It's not
for features though.

-Peter

[Peter Wemm]

Yes, pfsync includes NAT. While we don't use NAT in the freebsd.org
cluster, we do use it on certain ipv6+rfc1918 machines and it does
handle failover / recovery transparently. We use it with carp.

Be aware that things can get a little twitchy if your switches have an
extended link-up periods. Our Juniper EX switches and ethernet
interfaces have a significant delay between 'ifconfig up' and link
established. This required some tweaks on the freebsd.org cluster but
nothing unmanageable. We probably should boot them into a hold-down
state while things stabilize and but we've taken the quick way out
rather than doing it the ideal way.

-Peter

[David Noel]

On 5/20/14, Lucius Rizzo <Lucius...@the.ie> wrote:
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?

I use PF, though I've never tried IPFilter or IPFW. Years ago when I
was trying to decide between the three I remember finding a number of
good arguments in favor of using PF.

> Also there is a lack of good interesting rule sets in the BSD realm. With
> Linux, there was even a iptables rule set to prevent heartbleed. If you use
> any of the firewalls, and have interesting or even optimized rule sets, I
> would really like to see them :)

There are a handful of PF ruleset examples available online. I
gathered them, concatenated them, did some reading and made sure they
made sense for my use case, then applied them. They're on my other
machine though. I'll post them shortly.

[David Noel]

On 5/23/14, David Noel <david....@gmail.com> wrote:
> On 5/20/14, Lucius Rizzo <Lucius...@the.ie> wrote:
>> If you use any of the firewalls, and have interesting
>> or even optimized rule sets, I would really like to see them :)
>

> I'll post them shortly.
>

Let me know if I missed anything.

###########################
## Macros ##
###########################

ext_if="em0"
#jail_ips="{192.168.1.21,192.168.1.22,192.168.1.23,192.168.1.24}"
lan_ip="192.168.1.20"
lan_subnet="192.168.1.0/24"

###########################
## Tables ##
###########################

# set up abuse detection and prevention
# any host that hammers more than 3 connections in 5 seconds
# gets their packet states killed and address blackholed
#table <ssh_abuse> persist file "/var/db/pf.blacklist"

###########################
## Options ##
###########################

set fingerprints "/etc/pf.os"
set debug urgent
set block-policy drop

set skip on lo0

set limit frags 5000 # default
set limit src-nodes 5000 # default
set limit states 10000 # default
set limit tables 1000 # default
set limit table-entries 200000 # default
set loginterface $ext_if
set optimization normal # default
set ruleset-optimization basic # default
set state-policy floating # default
set timeout interval 10 # default
set timeout frag 30 # default
set timeout src.track 0 # default

###########################
## Traffic Normalization ##
###########################

# normalize and fragment all incoming traffic
# scrub in on $ext_if all fragment reassemble
scrub in on $ext_if all random-id fragment reassemble

###########################
## Queueing Rules ##
###########################

###########################
## Translation Rules ##
###########################

#nat on $ext_if inet proto { tcp, udp, icmp } from $jail_ips to
$lan_subnet -> $lan_ip
#nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
#nat on $ext_if from !($ext_if) to any -> 192.168.1.20
#nat pass on $ext_if from $lan_subnet to any -> 192.168.1.20
#nat on $ext_if from 192.168.1.21 to any -> 192.168.1.20

###########################
## Packet Filtering ##
###########################

# default to drop everything
#block in log all
block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"

# block ipv6
#block drop in quick inet6 "default in deny ipv6 rule"
#block drop out quick inet6 label "default out deny ipv6 rule"

# enable antispoofing
antispoof log quick for $ext_if inet label "antispoof rule"

# block all if no back routes
block in log quick from no-route to any label "no-route rule"

# block all if reverse fails (probably spoofed)
block in log quick from urpf-failed to any label "reverse lookup
failed rule (probably spoofed)"

# drop broadcast requests quietly
block in log quick on $ext_if from any to 255.255.255.255

# block os-fingerprinting probes
# F=FIN,S=SYN,R=RST,P=PUSH,A=ACK,U=URG,E=ECE,W=CWR
block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF

block in log quick on $ext_if proto tcp flags FUP/FUP
block in log quick on $ext_if from any os "NMAP" to any label "NMAP
scan block rule"

# keep state on any outbound tcp, udp, or icmp traffic
# modulate the isn (initial sequence number) of outgoing packets
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
## how to allow only certain outbound ports? is needed?

# allow inbound postgresql connections
#pass in on $ext_if proto {tcp,udp} from 192.168.1.20 to $ext_if port = 5432

# allow inbound ssh traffic with synproxy handshaking
#pass in log on $ext_if proto tcp from any to any port ssh flags S/SA
synproxy state

# allow inbound www traffic with synproxy handshaking
#pass in log on $ext_if proto tcp from any to any port www flags S/SA
synproxy state

# uses table defined above for blacklisting
#block in quick from <ssh_abuse>
#pass in on $ext_if proto tcp to any port {ssh,www} flags S/SA keep
state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse>
flush)

[Charles Sprickman]

On May 23, 2014, at 5:11 PM, Peter Wemm <pe...@wemm.org> wrote:

> On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote:
>> On 23 May 2014, at 10:00, G. Paul Ziemba <pz-freeb...@ziemba.us> wrote:
>>
>>> Lucius...@The.ie (Lucius Rizzo) writes:
>>>
>>>> Ultimately, outside configuration differences all firewalls are essentially
>>>> serve the same purpose but I wonder what is your favorite and why? If
>>>> you were to run FreeBSD in production, which of the three would you
>>>> choose? IPFilter, PF or IPFW?
>>> I switched to pf about seven months ago as I began to need to
>>> manage bandwidth for specific classes of traffic (for example,
>>> prevent outbound mailing list email from saturating the link
>>> and reserve some bandwidth for interactive use).
>>>
>>> The syntax is very close and the NAT configuration is simpler in pf.
>> Does the pfsync handle NAT tables.
>> Could I use it to build a resilient carrier grade NAT solution?
>>
>
> Yes, pfsync includes NAT. While we don't use NAT in the freebsd.org cluster, we do use it on certain ipv6+rfc1918 machines and it does handle failover / recovery transparently. We use it with carp.
>
> Be aware that things can get a little twitchy if your switches have an extended link-up periods. Our Juniper EX switches and ethernet interfaces have a significant delay between 'ifconfig up' and link established. This required some tweaks on the freebsd.org cluster but nothing unmanageable. We probably should boot them into a hold-down state while things stabilize and but we've taken the quick way out rather than doing it the ideal way.

Off-topic, but it sounds like you need the Juniper equivalent of the Cisco �spanning-tree portfast� command on your switch interfaces that connect to end hosts. The pause you see is part of STP where the switch port sits in learning mode from 5 to 30 seconds before going to forwarding mode. This is important for inter-switch links, but not at all needed when you know a port is only going to have a host plugged into it.

Charles

[Darren Pilgrim]

On 5/20/2014 12:09 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.
>
> Firewalls are like MTA servers I find. Each person has their own
> proclivities. I happened to have started with IPFilter with Solaris and
> throughout Solaris years. Lately, on my Linux servers, I end up running
> ufw as lazy man's iptables cli frontend which is easy enough.
>
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?

I use ipfw on servers and end devices when I need a mitigation-oriented
firewall. It makes simple work of putting up notch filters, but its
syntax gets a bit ugly if you're doing up a router configuration.

I build routers from pf on OpenBSD and Intel hardware. $1k of PC and I
can shove gigabits through full BGP tables and big sets of ACLs all day
long. Something comparable from Cisco would have a five- or six-digit
price tag and leave you unsatisfied. For lighter workloads, Ubiquiti's
EdgeRouter family is lovely and it gets you the benefit of a well-known
interface if you're handing off the admin hat. I abandon FreeBSD in
this use case--ipfw syntax isn't clean enough and pf's IPv6 support is
broken.

I haven't touched ipf in over a decade and don't miss it at all.

[Alfred Perlstein]

On 5/20/14 12:09 AM, Lucius Rizzo wrote:
> I have been looking into articles comparing firewalls that come with
> FreeBSD. There isn't much recent info on the net. I am currently using
> FreeBSD 10 with IPFilter.
>
> Firewalls are like MTA servers I find. Each person has their own
> proclivities. I happened to have started with IPFilter with Solaris and
> throughout Solaris years. Lately, on my Linux servers, I end up running
> ufw as lazy man's iptables cli frontend which is easy enough.
>
> Ultimately, outside configuration differences all firewalls are essentially
> serve the same purpose but I wonder what is your favorite and why? If
> you were to run FreeBSD in production, which of the three would you
> choose? IPFilter, PF or IPFW?
>
> Also there is a lack of good interesting rule sets in the BSD realm. With
> Linux, there was even a iptables rule set to prevent heartbleed. If you use any
> of the firewalls, and have interesting or even optimized rule sets, I
> would really like to see them :)
>
> Regards,
>

I prefer IPFW because generally my configs are relatively simple and the
rules just read naturally to me as opposed to the other systems.

It reads very easily and since I'm generally doing basic things it's
nice not to have to think too hard about what I am trying to do.

-Alfred

[Peter Wemm]

On 5/23/14, 11:12 PM, Charles Sprickman wrote:
> On May 23, 2014, at 5:11 PM, Peter Wemm <pe...@wemm.org> wrote:
>
>> On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote:
>>> On 23 May 2014, at 10:00, G. Paul Ziemba <pz-freeb...@ziemba.us> wrote:
>>>
>>>> Lucius...@The.ie (Lucius Rizzo) writes:
>>>>
>>>>> Ultimately, outside configuration differences all firewalls are essentially
>>>>> serve the same purpose but I wonder what is your favorite and why? If
>>>>> you were to run FreeBSD in production, which of the three would you
>>>>> choose? IPFilter, PF or IPFW?
>>>> I switched to pf about seven months ago as I began to need to
>>>> manage bandwidth for specific classes of traffic (for example,
>>>> prevent outbound mailing list email from saturating the link
>>>> and reserve some bandwidth for interactive use).
>>>>
>>>> The syntax is very close and the NAT configuration is simpler in pf.
>>> Does the pfsync handle NAT tables.
>>> Could I use it to build a resilient carrier grade NAT solution?
>>>
>> Yes, pfsync includes NAT. While we don't use NAT in the freebsd.org cluster, we do use it on certain ipv6+rfc1918 machines and it does handle failover / recovery transparently. We use it with carp.
>>
>> Be aware that things can get a little twitchy if your switches have an extended link-up periods. Our Juniper EX switches and ethernet interfaces have a significant delay between 'ifconfig up' and link established. This required some tweaks on the freebsd.org cluster but nothing unmanageable. We probably should boot them into a hold-down state while things stabilize and but we've taken the quick way out rather than doing it the ideal way.
> Off-topic, but it sounds like you need the Juniper equivalent of the Cisco �spanning-tree portfast� command on your switch interfaces that connect to end hosts. The pause you see is part of STP where the switch port sits in learning mode from 5 to 30 seconds before going to forwarding mode. This is important for inter-switch links, but not at all needed when you know a port is only going to have a host plugged into it.
>

Indeed, I believe this is a legacy of when we had discrete switches
chained together. We've since switched to virtual chassis
configurations so there's only inter-switch forwarding via the
backplane. I've made a note to check this out when I'm physically present.

But it is something to be aware of if you're using carp in this
configuration as new members will believe they are the master for a
short while and that does lead to drama as it converges. This not a
pf/carp problem though, more one that we haven't used the available
tools properly yet.

[Charles Sprickman]

On May 24, 2014, at 7:16 PM, Peter Wemm <pe...@wemm.org> wrote:

> On 5/23/14, 11:12 PM, Charles Sprickman wrote:
>> On May 23, 2014, at 5:11 PM, Peter Wemm <pe...@wemm.org> wrote:
>>
>>> On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote:
>>>> On 23 May 2014, at 10:00, G. Paul Ziemba <pz-freeb...@ziemba.us> wrote:
>>>>
>>>>> Lucius...@The.ie (Lucius Rizzo) writes:
>>>>>
>>>>>> Ultimately, outside configuration differences all firewalls are essentially
>>>>>> serve the same purpose but I wonder what is your favorite and why? If
>>>>>> you were to run FreeBSD in production, which of the three would you
>>>>>> choose? IPFilter, PF or IPFW?
>>>>> I switched to pf about seven months ago as I began to need to
>>>>> manage bandwidth for specific classes of traffic (for example,
>>>>> prevent outbound mailing list email from saturating the link
>>>>> and reserve some bandwidth for interactive use).
>>>>>
>>>>> The syntax is very close and the NAT configuration is simpler in pf.
>>>> Does the pfsync handle NAT tables.
>>>> Could I use it to build a resilient carrier grade NAT solution?
>>>>
>>> Yes, pfsync includes NAT. While we don't use NAT in the freebsd.org cluster, we do use it on certain ipv6+rfc1918 machines and it does handle failover / recovery transparently. We use it with carp.
>>>
>>> Be aware that things can get a little twitchy if your switches have an extended link-up periods. Our Juniper EX switches and ethernet interfaces have a significant delay between 'ifconfig up' and link established. This required some tweaks on the freebsd.org cluster but nothing unmanageable. We probably should boot them into a hold-down state while things stabilize and but we've taken the quick way out rather than doing it the ideal way.
>> Off-topic, but it sounds like you need the Juniper equivalent of the Cisco �spanning-tree portfast� command on your switch interfaces that connect to end hosts. The pause you see is part of STP where the switch port sits in learning mode from 5 to 30 seconds before going to forwarding mode. This is important for inter-switch links, but not at all needed when you know a port is only going to have a host plugged into it.
>>
>
> Indeed, I believe this is a legacy of when we had discrete switches chained together. We've since switched to virtual chassis configurations so there's only inter-switch forwarding via the backplane. I've made a note to check this out when I'm physically present.
>
> But it is something to be aware of if you're using carp in this configuration as new members will believe they are the master for a short while and that does lead to drama as it converges.

Interesting. I don�t use carp as part of a firewall setup at all (yet), but I have a few cases where I use it for service redundancy. I am beyond happy with how well it works in that scenario. What is the behavior in a carp�d firewall configuration like you�ve described? New host comes up, sees the port up (but forwarding is not active yet), becomes master, and then you have a period of time after the port starts forwarding where you have two masters - what�s the effect here? Does traffic using the carp IP for a gateway end up basically randomly hitting both hosts in the pair until the �false� master decides it�s a slave again? I assume pf acts oddly when pfsync is enabled and you have both hosts in a pair being active.

> This not a pf/carp problem though, more one that we haven't used the available tools properly yet.

It seems like it could be fixed in carp though - I mostly deal with Cisco switches, and the delay before a port starts forwarding is a default config. There are also those that totally recommend leaving the STP defaults in case some junior network guy decides to plug something into the wrong port - I believe it�s possible to get a forwarding loop going with �spanning-tree portfast� enabled. But most server admins are very keen on enabling the feature because no one wants to wait up to 30 seconds for a port to come alive. If the carp initialization could do a few checks beyond the basic port status (for example, is at least one MAC address in the ARP table for the interface in question) and delay initializing until knowing for certain an ethernet link is truly �up�, that might make things behave a bit better in environments like this. Someone more clever than I could probably come up with a more elegant solution though. :) I don�t think it would be improper to work around the sc
enario you describe, as it�s pretty common once you move into �enterprise� switching territory.

Sorry for continuing the OT, but I�m curious about what is probably a fairly common scenario.

Charles

[Torfinn Ingolfsen]

On Wed, 21 May 2014 10:35:23 +0200
Rolf Nielsen <rmg19...@gmail.com> wrote:

>
> IPFW for me too. It was what was availabe when I first started using a
> firewall, and it does what I want, so I see no reason to switch.

Exactly. IPFW for me too.
--
Torfinn Ingolfsen <torfinn....@getmail.no>

[Ian Smith]

On Fri, 23 May 2014 22:57:33 -0700, Lucius Rizzo wrote:
> * David Noel <david....@gmail.com> [2014-05-24 00:31]:

> > On 5/23/14, David Noel <david....@gmail.com> wrote:
> > > On 5/20/14, Lucius Rizzo <Lucius...@the.ie> wrote:
> > >> If you use any of the firewalls, and have interesting
> > >> or even optimized rule sets, I would really like to see them :)
> > >
> > > I'll post them shortly.
> > >
> >
> > Let me know if I missed anything.
>

> Thank you! This actually helps. I have a set of IPFilter rules that I
> plunk on my FreeBSD servers running on cloud. I use IPFilter with
> ssguard-ipfilter. (See Attached)
>
> Seems like consesus is that pf is perhaps the best choice moving forward.

There's no concensus except what you'd prefer it to be. If you count
messages you might have had to use ipfw, but I'm not surprised that pf
is likely more comfortable conceptually to someone familiar with ipf.

To one happier with procedural programming down to assembler level to sh
or Pascal rather than more object-oriented languages, ipfw is nice and
bare-metal and doggedly procedural. Others prefer the more symbolic
approach, and pf has always felt that to me, but that's subjective.

We've seen good specifics on which suits whom, and in what scenarios.
I liked Darren Pilgrim's non-sectarian approach, preferring ipfw on
(his) servers and pf - on OpenBSD - on (his) routers. And we got some
interesting high-level takes from folks running enterprise-scale stuff
down to what might best suit embedded gear. It's been fun :)

However, I want the bikeshed slightly on the yellow side of burnt ochre.

cheers, Ian

[krad]

or use rstp

On 24 May 2014 07:12, Charles Sprickman <sp...@bway.net> wrote:

> On May 23, 2014, at 5:11 PM, Peter Wemm <pe...@wemm.org> wrote:
>
> > On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote:
> >> On 23 May 2014, at 10:00, G. Paul Ziemba <pz-freeb...@ziemba.us>
> wrote:
> >>
> >>> Lucius...@The.ie (Lucius Rizzo) writes:
> >>>
> >>>> Ultimately, outside configuration differences all firewalls are
> essentially
> >>>> serve the same purpose but I wonder what is your favorite and why? If
> >>>> you were to run FreeBSD in production, which of the three would you
> >>>> choose? IPFilter, PF or IPFW?
> >>> I switched to pf about seven months ago as I began to need to
> >>> manage bandwidth for specific classes of traffic (for example,
> >>> prevent outbound mailing list email from saturating the link
> >>> and reserve some bandwidth for interactive use).
> >>>
> >>> The syntax is very close and the NAT configuration is simpler in pf.
> >> Does the pfsync handle NAT tables.
> >> Could I use it to build a resilient carrier grade NAT solution?
> >>
> >

> > Yes, pfsync includes NAT. While we don't use NAT in the freebsd.orgcluster, we do use it on certain ipv6+rfc1918 machines and it does handle

> failover / recovery transparently. We use it with carp.
> >
> > Be aware that things can get a little twitchy if your switches have an
> extended link-up periods. Our Juniper EX switches and ethernet interfaces
> have a significant delay between 'ifconfig up' and link established. This
> required some tweaks on the freebsd.org cluster but nothing unmanageable.
> We probably should boot them into a hold-down state while things stabilize
> and but we've taken the quick way out rather than doing it the ideal way.
>
> Off-topic, but it sounds like you need the Juniper equivalent of the Cisco

> “spanning-tree portfast” command on your switch interfaces that connect to