# How to choose between pf, ipfw, and ipfilter?



## Bill Evans at Mariposa (Mar 27, 2015)

In general, what are the important differences between `pf`, `ipfw`, and `ipfilter`? Why would one choose one of them over the others?


----------



## mag (Mar 27, 2015)

I think this will help... Chapter 30 Firewalls


----------



## kpa (Mar 27, 2015)

IPFilter and PF are quite similar in syntax and both do the same job on paper. However, IPFilter hasn't seen that much development and improvements lately on FreeBSD so the selection between those two would be PF. IPFW is a much more advanced firewall that is capable for example layer 2 filtering that the other two can't do. IPFW is much harder to use because the rule formalism (meaning how the rules are evaluated at runtime and other finer details) is much cruder and requires much more attention to get your rules right.


----------



## scottro (Mar 27, 2015)

I would add that being easy or hard to use may depend upon what you're doing.  For simple firewalling, I find IPFW syntax a bit easier, that is simple allowing and denying.   We use both, depending upon a) the situation and b) which admin configured the server.


----------



## getopt (Mar 27, 2015)

kpa said:


> IPFilter and PF are quite similar in syntax and both do the same job on paper. However, IPFilter hasn't seen that much development and improvements lately on FreeBSD so the selection between those two would be PF.


You should know that PF is stuck for years now on FreeBSD while further development has taken place on OpenBSD only.

See https://lists.freebsd.org/pipermail/freebsd-current/2014-July/051234.html


----------



## wblock@ (Mar 27, 2015)

getopt said:


> You should know that PF is stuck for years now on FreeBSD while further development has taken place on OpenBSD only.



That is not quite accurate.  Development has diverged between the two.  FreeBSD's version has some features that the OpenBSD version lacks (SMP).  Also, my (possibly mistaken) impression is that the OpenBSD version keeps making the syntax weirder with each version.

As for the original question:

PF for features, power, and clarity of firewall rules.
IPFW for slightly faster performance.
IPF... well, I've been told it is similar to Cisco firewalls.


----------



## Bill Evans at Mariposa (Mar 27, 2015)

mag said:


> I think this will help... Chapter 30 Firewalls


My apologies. I should have noted that I had already read that chapter, and was looking for aspects that weren't discussed there. That would have saved you the trouble. (I know that I like it when original posters say what they've already read.)


----------



## kpa (Mar 27, 2015)

getopt said:


> You should know that PF is stuck for years now on FreeBSD while further development has taken place on OpenBSD only.
> 
> See https://lists.freebsd.org/pipermail/freebsd-current/2014-July/051234.html



That's not the whole story at all. The syntax used by FreeBSD PF is stuck in what it is now because of the POLA principle but there has been a whole bunch of work done on the internals to improve it and fix problems.

I wouldn't call the newer OpenBSD syntax weird. It actually makes a lot of sense because it ties together all processing rules that are applied to all packets regardless of state under the match directive, including nat, rdr and scrub.


----------



## Bill Evans at Mariposa (Mar 27, 2015)

Aaaand the winner, for me with my very simple requirements: PF, simply because it was the first one I tried and it was adequate for my need. My need was to be able, for a given user ID:

to allow the usual unrestricted access;
to allow access to only 10.0.0.1/16 and 192.168.8.1/16 and 127.0.0.1/8;
to allow access to only 127.0.0.1/8; or
to allow access to nothing.
I've done a proof of concept! Yay! It doesn't work for user ID 0, but that's ok.

Now the only thing that remains is to write a setuid root utility which allows the user to specify the desired level of access for himself (or allow root to set it for any user ID, given that user ID on the command line). This is for users reading mail that might contain (a) trusted, or (b) suspicious links.


----------



## diizzy (Mar 28, 2015)

Beware that IPv6 is fairly broken in pf and from what I've gathered regarding pf's syntax it hasn't been updated because no one has followed upstream. The major issue right now is that it has diverged too much from OpenBSD which makes updating troublesome. I know there has been some talk about bringing npf over from NetBSD which supposedly is quite portable and in very active development. On the plus side, syntax is very similar to pf.
//Danne


----------



## kpa (Mar 28, 2015)

diizzy said:


> Beware that IPv6 is fairly broken in pf and from what I've gathered regarding pf's syntax it hasn't been updated because no one has followed upstream. The major issue right now is that it has diverged too much from OpenBSD which makes updating troublesome. I know there has been some talk about bringing npf over from NetBSD which supposedly is quite portable and in very active development. On the plus side, syntax is very similar to pf.
> //Danne



IPv6 works well enough for me on 10.1-RELEASE. I'm using a gif(4) tunnel from SixXS. The biggest missing features are rdrs (for a proxy for example) and handling of IPv6 fragments (https://en.wikipedia.org/wiki/IPv6_packet#Fragmentation) and those are being worked on at the moment in stable/10. Those are not exactly showstoppers under normal use of IPv6.


----------



## gkontos (Mar 28, 2015)

PF and IPv6 works fine on my dual stacked server (mail, web, dns) running FreeBSD 9.3-RELEASE. I am not using any tunnels because I have a /64 assigned to me.


----------



## diizzy (Mar 28, 2015)

https://www.mail-archive.com/freebsd-pf@freebsd.org/msg06375.html (a few notes)
https://redmine.pfsense.org/issues/2762 (mentioned earlier)
etc
The list is long unfortunately and there's more in the mailinglists for those who want to dig a bit further.
//Danne


----------



## kpa (Mar 29, 2015)

diizzy said:


> https://www.mail-archive.com/freebsd-pf@freebsd.org/msg06375.html (a few notes)
> https://redmine.pfsense.org/issues/2762 (mentioned earlier)
> etc
> The list is long unfortunately and there's more in the mailinglists for those who want to dig a bit further.
> //Danne



Do you have any first hand experience with PF used with IPv6? You would think those who use it for real would very quickly run to into the showstoppers if there were any major ones? The reality is that PF with IPv6 does work well enough and the issues mentioned are not major enough to prevent it from use, not in the usability nor security sense.


----------



## Oko (Mar 29, 2015)

diizzy said:


> Beware that IPv6 is fairly broken in pf


You meant to say FreeBSD version of PF has broken IPv6. As we know there is nothing wrong with upstream 

@OP As a rule of the thumb if you need PF run OpenBSD unless you are dealing with 20 Gigabit and 50 Gigabit networks. In that case OpenBSD is working progress and currently can't handle those network speeds.

If you use FreeBSD use the native firewall IPFW unless you are very familiar with PF (like me) and not using FreeBSD as perimeter firewall.
IMHO PF has no future on FreeBSD unless we count those Apple laptops which FreeBSD developers like to use so much. Those (OS X) of course use PF as we know and much newer version than the one you can find on vanilla FreeBSD.


----------



## getopt (Mar 29, 2015)

Nice entry reader: https://forums.freebsd.org/threads/freebsd-vs-openbsd-pf.12383/#post-73730
Thank you, Oko 
kpa talking about PF earlier:


kpa said:


> It works fine for most part but any kind of NAT on IPv6 does not work because the rewritten packets will have invalid checksums and are dropped.
> 
> Before anyone jumps in a says that NAT is never needed with IPv6, think again. How are you going to get an FTP proxy working on IPv6 without NAT?





kpa said:


> You would think those who use it for real would very quickly run to into the showstoppers if there were any major ones? The reality is that PF with IPv6 does work well enough and the issues mentioned are not major enough to prevent it from use, not in the usability nor security sense.



IPv6 is much more complex than IPv4. Even experts still struggle configuring IPv6. Now from a pragmatic view, why would I want to use a product that is _"good enough"_ for not beeing a "showstopper", and has other shortcomings (like lack of active development)? If I had a choice I'd prefer *excellence* over _"good enough"_ wheresoever affordable. BTW is "showstopper" an adequate category regarding a security related firewall?



Oko said:


> You meant to say FreeBSD version of PF has broken IPv6. As we know there is nothing wrong with upstream
> 
> @OP As a rule of the thumb if you need PF run OpenBSD unless you are dealing with 20 Gigabit and 50 Gigabit networks. In that case OpenBSD is working progress and currently can't handle those network speeds.
> 
> If you use FreeBSD use the native firewall IPFW unless you are very familiar with PF (like me) and not using FreeBSD as perimeter firewall.



Oko, just to reverse your semantics: If there were the possibility giving more than one thanks, you would get more on this posting, in meantime I use an older one from  Mar 19, 2010 cause nothing has changed since. 

People having chosen PF as their firewall might be happy for that time starting to learn PF and using it for a while thereafter. Usually they get stuck with PF at this point, refusing to learn another firewall syntax/concept. For my point of view it is essential for a starter to do the right decision at an very early stage. IMHO choosing Packet Filter PF for FreeBSD might be the wrong decision, if you do not want to be caught on the wrong leg some time after.

To make up your minds there is:
http://lists.freebsd.org/pipermail/freebsd-current/2014-July/051229.html

and a very clear statement from phoenix a/o Dec 19, 2014 :


phoenix said:


> One of the FreeBSD mailing lists had a discussion about this in the very recent past (maybe November, October at the earliest).
> 
> Going from memory:
> 
> ...


----------



## gkontos (Mar 29, 2015)

getopt said:


> People having chosen PF as their firewall might be happy for that time starting to learn PF and using it for a while thereafter. Usually they get stuck with PF at this point, refusing to learn another firewall syntax/concept. For my point of view it is essential for a starter to do the right decision at an very early stage. IMHO choosing Packet Filter PF for FreeBSD might be the wrong decision, if you do not want to be caught on the wrong leg some time after.



I have worked as a firewall administrator in the past for a large multinational company, dealing with Banking transactions. I was dealing with 12 firewalls all in HA mode. Checkpoint, Cisco ASA & FWSM blades.
The bugs that we discovered on all platforms were tremendous. Given the nature of the business it was impossible to disrupt production, therefore patching/upgrading had to be scheduled off times, usually between 3 to 5 am Sundays. 

That is all past now, fortunately and I don't have to deal anymore with stupid firewalls. That said, I can still write a policy in any type of firewall in under 10 minutes. I can also troubleshoot with ease connectivity issues.

And I choose PF for my dual stacked FreeBSD firewalls.

Thanks


----------



## gkontos (Mar 29, 2015)

getopt said:


> gkontos
> 
> Nice opinion advertising PF and yourself. But does it help those selecting a firewall for FreeBSD?
> 
> phoenix's statement I cited above does.



Sharing my experiences does not mean that I am advertising myself. Obviously you misunderstood my intentions.  

My point is choose whatever suits you best and keep it simple. There is no such thing as bug free stateful inspection. There is *NO SUCH THING* as a "best firewall" for FreeBSD.


----------



## gkontos (Mar 29, 2015)

getopt said:


> Well, that's what I found as "shared experience" in your posting. But does it enlighten anyone?
> For the rest you are talking about yourself.
> 
> And you made a decision suiting your personal needs, which has not been criticized.



Yes, I did speak as an expert in this field because of my experience. As a freelancer, I never advertise my "firewalling" skills because I choose to get involved in different fields.

The OP question has been answered thoroughly in the first posts. 

I just think that your criteria for saying the PF is broken is based upon pure BS. Much like your answers in a similar thread regarding PCI.


----------



## gkontos (Mar 29, 2015)

getopt said:


> gkontos
> Now as you cannot add more of your "experience" you switch from arguments to personal and narcissistic bashing. I could have called your output (also elsewhere) bullshit too, but I did not for preferring staying polite.



Feel free to contact me, I can share some knowledge from my experiences to you at a reasonable price.


----------



## Juanitou (Mar 29, 2015)

getopt said:


> I suggest that we ignore each other


You are strongly encouraged to do so or this thread will be closed soon.


----------



## diizzy (Mar 29, 2015)

Oko
Yes, I meant FreeBSD's case.... Anyhow, I don't think npf (for now) supports IPv6 any better than our current version of pf but seeing active development is encouraging and I think all would benefit if we could unify firewalls between BSDs. That said, I wouldn't mind seeing ipfw using pf's syntax (new or old). ;-)
//Danne


----------



## Oko (Mar 29, 2015)

diizzy said:


> Oko
> I think all would benefit if we could unify firewalls between BSDs.
> //Danne


That is never going to happen. BSDs (Free, DragonFly, Net, and Open) are not Linux distros. They are separate OSs originating from the same 4.4 BSD light with very different set of objectives and code base which can't be reconciled.

BTW people who like IPFW should look at new IPFWv3 implementation on DragonFly. Truly radical and original direction which uses the advantages of DragonFly kernel. "Original" IPFW on FreeBSD is going through the renaissance with new lead developer Luigi and co-workers. NPF if NetBSD is getting lots of love and is really original peace of work. It is probably the most interesting thing besides Xen 4.5 in the NetBSD 7.0 release.

Finally real OpenBSD version of PF and whole network stack for that matter are finally becoming multi-core capable and getting tests on 20 and 50 Gigabit networks.

These are good days for firewalls in BSD world.


----------



## diizzy (Mar 29, 2015)

Oko
While I'm not a kernel hacker from what I understand at least npf uses something similar to netmap called rumpkernel(?) so it is supposedly quite portable.
//Danne


----------



## Bill Evans at Mariposa (Mar 29, 2015)

Juanitou said:


> You are strongly encouraged to do so or this thread will be closed soon.


Please do not close this thread yet.  I am currently absorbing much of the conversation and cited outside resources, and suspect I'll have something more substantive to say within a few days.  It's not true that I've gotten everything I needed to know within the first few replies. Much of the rest has been very, very helpful.


----------



## Oko (Mar 30, 2015)

diizzy said:


> Oko
> While I'm not a kernel hacker from what I understand at least npf uses something similar to netmap called rumpkernel(?) so it is supposedly quite portable.
> //Danne


So you believe that OpenBSD team should/will abandoned 15 years of the work on PF and adopt new poorly tested NPF from NetBSD, a project which is on the life support (I mean NetBSD is on the life support). We must be leaving in the different Universes


----------



## Bill Evans at Mariposa (Mar 30, 2015)

Earlier I had said that I'd chosen `pf` because it was the first one I had tried and it seemed to fill my need (which was to allow access to the world, or just to the local network, or just to localhost, or to nothing, as a function of user ID, depending on the conscious choice of that user).  But many useful comments in this thread, and outside resources cited by those comments, have persuaded me to look sideways at `pf`, growl defensively, and back away slowly.  So then I looked at `ipfw`.

From a user standpoint, what a huge difference! The rules have rule numbers! The rules are addressible! I don't need to rewrite a changed config file, after perhaps parsing for outdated rules and removing those lines. All I need to do is map user ID's to rule numbers (a trivial exercise) and issue one `ipfw` command (or maybe two), and I'm done.

For future flexibility, it would have been nice to have the maximum rule number be 2^31-1, not 2^16-1, but that's minor.


----------



## gkontos (Mar 30, 2015)

As per my suggestion to everyone who ask. Try them all and see which one suits you best. Unless you you are looking for something very sophisticated most solutions can work just fine.

The basic rule for a good firewall policy is, keep it clean and easy to read.


----------



## Bill Evans at Mariposa (Mar 30, 2015)

gkontos said:


> As per my suggestion to everyone who ask. Try them all and see which one suits you best.


A usable strategy, but not quite what happened here. I settled on one firewall, and it would have been good enough. What caused me to switch was all the helpful detail in this thread which I would not have found out by trying `pf`, except maybe months or years later when my use of a firewall might be more complex but I would have already been settled down with `pf`. Just from what I read here, `pf` seems to be like graywater which has been allowed to stand too long before reuse: it's still usable, but one holds one's nose. It was only after discovering this that I tried `ifpw`. Sometimes the "try everything and see which is best" just slows one down with life. It was the sniff test failure that led my to try `ipfw`, with their pretty darn good addressible rules.


----------



## gkontos (Mar 30, 2015)

I am glad that it worked out for you well.


----------



## jrm@ (Apr 1, 2015)

I've gone back and forth between pf and ipfw and I eventually chose pf.  The difference in rule syntax wasn't a big deal for me, but I find pf's logging superior.  Maybe I'm doing something stupid, but with ipfw if I set net.inet.ip.fw.verbose_limit I eventually see very little.  If I remove the limit, the logs become enormous.  Yes, one could just log less rules, but the way pf only, by default, logs the initial connection and uses binary logs that you inspect with tcpdump allows for verbose but efficient logging.  There are problems with pflog/tcpdump on FreeBSD, though.  On OpenBSD, a tcpdump of the pflog can show the pid for locally generated traffic.  pflog(4) sugggests FreeBSD's pflog also records this information, but it's not shown with tcpdump.


----------

