# Which firewall product is best?



## jubutld (Jul 22, 2011)

Hello

I need to setup my firewall and am wondering which product do people think is the best. I welcome your opinions.

Thanks


----------



## graudeejs (Jul 22, 2011)

The one, that works best for you.

I like ipfw because how you can write dynamic scripts, but it can suck with IPv6.

pf is old, but in FreeBSD 9 it will be updated to newer version.

ipf - Never tried


----------



## phoenix (Jul 22, 2011)

Search the forums.  This topic comes up a couple of times a year, and we have several threads the cover the pro/cons of each packet filter.

The "best" packet filter is the one you know how to configure and monitor.


----------



## Harikrishnan (Apr 3, 2012)

*I* have used pf, ipf, ipfw.

According to me ipf is the best. It*'*s very useful when you use a script to add or remove rules. There is no lock out issue for ipf.

pf is good and has powerful features and can have a lot of options. It*'*s handy when you are blocking a medium DDOS. It supports more rules than ipf. But the problem is lock out issue. *Y*ou can easily get locked out and the pf may block all including local LAN if there is any problem in the rule set. So it*'*s very difficult to automate rule adding with scripts.

*W*e used to issue screen and sleep when loading pf rules.

*L*ike 

`$ pfctl -f /etc/pf.conf;sleep 10;pfctl -F rules`

ipfw is OK. *W*e can add rules with scripts. No lockout issue, but overall low performance than ipf.


----------



## RusDyr (Apr 17, 2012)

*Harikrishnan*, we also use pf, with ipfw. And I should to say that there is absolutely no problem to automate pf loading, read the man pfctl():


> *-n*      Do not actually load rules, just parse them.


Moreover, there is no need to load whole pf.conf when you just need to add/remove some rules - it has a *bunch* of options: you can load only nat/options/rules/tables etc, or you can use indepent "anchors", or even merge new with old one.



> ipfw is OK. We can add rules with scripts. No lockout issue, but overall low performance than ipf.


I'm really have some doubts to that. I think, it's already outdated and stale project. For example, in past 4(*four*) years the only differences in libipf are:

```
--- src/sbin/ipf/libipf/Makefile	2008/10/02 02:57:24	1.2.2.2.4.1
+++ src/sbin/ipf/libipf/Makefile	2012/03/03 06:15:13	1.7.10.1.8.1
@@ -1,4 +1,4 @@
-#	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sbin/ipf/libipf/Makefile,v 1.2.2.2.4.1 2008/10/02 02:57:24 kensmith Exp $
+#	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sbin/ipf/libipf/Makefile,v 1.7.10.1.8.1 2012/03/03 06:15:13 kensmith Exp $
 
 LIB=		ipf
 INTERNALLIB=
@@ -23,7 +23,7 @@ SRCS=		addicmp.c addipopt.c alist_free.c
 		printportcmp.c printproto.c printsbuf.c printstate.c \
 		printtqtable.c printtunable.c remove_hash.c remove_hashnode.c \
 		remove_pool.c remove_poolnode.c resetlexer.c rwlock_emul.c \
-		tcp_flags.c tcpflags.c v6ionames.c v6optvalue.c \
+		tcp_flags.c tcpflags.c tcpoptnames.c v6ionames.c v6optvalue.c \
 		var.c verbose.c
 
 .include <bsd.lib.mk>
```

The other files of ipfilter also seem abandoned.

So I would prefer ipfw (especially brilliant with dummynet) and, less, pf (great dynamic rules and easy managed).


----------



## Rudy (Apr 21, 2012)

Doing NAT on your firewall?  Stay away from ipnat / ipf (here in 2012) -- it is old and will crash your box under load with a Fatal 12!  Use ifpw (and the ipfw_nat module)!


----------

