# What is your favorite firewall?



## -Snake- (Aug 12, 2016)

Hello, I use linux on some my machines (iptables), today i try PF firewall on freebsd, i love it, its very very simple, with a simple:


```
tcp_services="{ssh, domain, auth}"
localnet="192.168.1.0/24"
block in all
pass out all
pass proto tcp from $localnet to port $tcp_services
```

I have a secure firewall for my second desktop machine.

What is your favorite firewall?


----------



## kpedersen (Aug 12, 2016)

On Windows XP I use Sygate firewall. It has pretty good diagnostics and since the company has gone bust, I doubt there is any spying / telemetry involved. Wireshark also suggests it is trustworthy.

On Windows 7+ I use the inbuilt one but I hack the registry to make the firewall entries read-only so that pesky software (i.e Windows, Winstore Apps and other crapware) dont add their own firewall rules.

On FreeBSD and OpenBSD, I honestly don't use a firewall. I trust the software to not phone home (for desktop. It is a different story for my few servers).


----------



## Oko (Aug 12, 2016)

kpedersen said:


> On FreeBSD and OpenBSD, I honestly don't use a firewall. I trust the software to not phone home (for desktop. It is a different story for my few servers).


On OpenBSD PF is turned on by default. The rules are of course about as permissive as it gets.


```
set skip on lo
block return # block stateless traffic
pass # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
```


-Snake-

I have being using PF for over 15 years so I swear by it. Arguably that means that you have to run OpenBSD on your router/desktop as the state of PF on other BSDs is sorry. OS X PF is pretty good (better than Free and my daughters use it all the time on their MACs) and Solaris from 12 will have only PF.

On Free I use PF just out of habit by arguably I use Free only as a storage OS behind OpenBSD firewall. The same goes with DragonFly. If you are hard core user of FreeBSD using it for the network services I think IPFW is the way to go. Probably on DragonFly as well based upon their mailing lists which I am subscribed to. IPFW vs PF topics was bitten up to the dead on various FreeBSD mailing list. I subscribe to the group of user who think that PF as it is should probably be removed from FreeBSD sooner rather than later.

IPFilter (IPF) is all but dead. Once Solaris remove it from 12.0 release that would be the last nail.  IPF avoided chopping board on FreeBSD due to the fact that JunoOS based of FreeBSD is using it. So Juniper networks vetoed the decision to remove IPF from FreeBSD. There was recently a discussion on NetBSD mailing list about sorry state of IPF on release 7.0. The official party line of NetBSD as this point is that NPF is the official firewall of NetBSD. I like the party line I just don't like the fact that NetBSD is on the life support. PF is not recommended on NetBSD being familiar with animosity between the core Net group and OpenBSD people I always wonder how PF was allowed to be imported into NetBSD.

All my Red Hat machines at work are behind OpenBSD firewall. I have IPTables (which is a bastardized child of FreeBSD's IPFW) turned on but they are not very useful. I would not trust Linux anything network related.

I forgot to mention turnkey appliances. pfSense and OPNsense are the most famous. The use FreeBSD as a base and PF. I have no idea where they are going with it as PF is dead on FreeBSD. m0n0wall which is dead used IPF. It was really good in its heyday. m0n0wall recommendation for its users was to move ot OPNsense since pfSense uses non-free Apache 2 license. Not everyone was happy with the recommendation and somebody forked m0n0wall to TinyWall. I would swear I remember a website listing at least one another turnkey firewall appliance based of FreeBSD but I can't find it right now.


----------



## ShelLuser (Aug 12, 2016)

IPFilter. I've always used this back in the days when I was running Sun Solaris, so when I moved to FreeBSD I simply continued using the firewall I already knew by heart.

(edit)

Obviously I disagree with the project being dead. When software does the job its supposed to then I really couldn't care less about new features and new updates.


----------



## Phishfry (Aug 12, 2016)

pfSense is what I use. I like the appliance approach. It really makes it easy to do complicated things like a Captive Portal or OpenVPN.
I use a couple 8-port gigabit switches behind it to connect everything in my home including some POE gear.
I currently use an Astaro/Sophos ASG110-rev4 (Atom N450) hooked up to my cable modem. My firewall has an uptime of over 80 days.
I only reboot it on upgrades.
pfBlocker is the shiznik.
I also use custom hosts file for blocking on a per machine basis.

Noisy fan but a good little box still.
http://www.ebay.com/itm/262573837920

I also must say that Untangle makes a UTM OS that is pretty popular.


----------



## gpatrick (Aug 12, 2016)

> the fact that NetBSD is on the life support


Stop spewing that crap!



> IPFilter (IPF) is all but dead.


Perhaps you should talk to Joyent before you make that claim since it is the firewall used in Triton (SmartOS).


----------



## Oko (Aug 12, 2016)

gpatrick said:


> Perhaps you should talk to Joyent before you make that claim since it is the firewall used in Triton (SmartOS).


Of course SmartOS uses IPF because it is based of now dead Illomos (OpenSolaris) which is in essence Solaris 10. IPF was developed originally on Solaris and I am one of the people who used in late 90s. All PR talk aside (Zones, Crossbow, KVM, and ZFS)  SmartOS is a statistical error. More importantly an essentially appliance built of dead Illomos (OpenSolaris) which uses NetBSD pkgsrc to build packages (I know little bit more about true portability of pkgsrc than your average Joe)  is just not very interesting thing.

IPF might have a future but not because of SmartOS but because it is used by JunoOS (Juniper networks OS). I mentioned that in my first post. JunoOS vetoed the decision that IPF be removed from FreeBSD.

As of your shouting at me it is not the first and I am sure it is not the last time but it will not change the fact that we don't see the world with the same eyes. I hope you are having good Friday afternoon


----------



## gpatrick (Aug 12, 2016)

Stop talking about what you obviously are very ignorant!

Now you claim illumos is dead which is absurd. illumos was forked from OpenSolaris before Oracle closed it.

Then you go on to say SmartOS was an error. They have been in business for over a decade and recently were bought by Samsung. I suppose Samsung could go out of business.

You have a pleasant evening too my anonymous Internet acquaintance/adversary with whom we don't always agree!


----------



## ronaldlees (Aug 13, 2016)

gpatrick said:


> Stop spewing that crap!



+1

I have as many NetBSD machines as FreeBSD ones, and use pf firewall on all of them.  It's convenient because I don't need to have two sets of configuration files for the machines.   As far as pkgsrc goes, it may not be sexy, but it works fine.  In some ways I like it better than ports.


----------



## marino (Aug 13, 2016)

ronaldlees said:


> In some ways I like it better than ports.


  I would be interested in a list of those ways.  Other than perhaps preferring pkgsrc's way of handling python2 vs python3 (as well as multiple versions of perl, ruby, php, etc) I don't see many advantages.  I say this as somebody that has done quite a few commits directly to pkgsrc and probably will do so again.


----------



## gkontos (Aug 13, 2016)

Simple answer really, what ever works best for you.


----------



## Yampress (Aug 13, 2016)

pf


----------



## wblock@ (Aug 13, 2016)

Oko said:


> IPF avoided chopping board on FreeBSD due to the fact that JunoOS based of FreeBSD is using it. So Juniper networks vetoed the decision to remove IPF from FreeBSD.


No.  IPF was nearly removed for being unsupported, then someone volunteered to support it.

But it does not matter, the only people who should use it are those who already use it.

I switched to PF years back, mostly due to easier configuration.  Or "less hard", I have not yet seen firewall rule syntax that isn't pretty terrible.  In the meantime, I'm told that IPFW has grown and improved.


----------



## fossette (Aug 13, 2016)

I like IPFW just because of the rules' philosophy.  It's (it can be) DENY ALL by default on the last rule.  And for the rules before it, the rules just act on what they recognize, immediately ACCEPT or DENY a specific condition.  I find it much easier to understand than the other firewalls.

(Rats!  Now *they* know what is my firewall...)

Dominique.


----------



## Murph (Aug 15, 2016)

I'm relatively neutral about it, and it's mostly a case of what is conveniently to hand and meets my needs at the time.  I switched my FreeBSD servers in remote hosting locations from IPFW to PF a while ago.  It's hard to pin down a precise reason for that, although part of it was Apple's move from IPFW to PF, so that I'm not switching back and forth between tools when working with both OS X and FreeBSD.  I wouldn't use IPF on a new FreeBSD config, as I don't believe that it gets the same level of care and attention as the other two.

For protecting a private LAN at its edge, I quite like Cisco IOS CBAC (context based access control on a SEC-K9 feature set or equivalent, not the ancient basic IP ACL stuff).  That has been my LAN firewalling preference for decades, and has served me very well.  I'll happily admit that it's not cheap, and IOS configuration can be a bit of a black art a times, and not for everyone; but it works well if you have long experience with Cisco kit and are using an appropriate model of router for it.


----------



## hitest (Aug 20, 2016)

PF


----------



## Nat_RH (Aug 22, 2016)

PF for anything software, Cisco ASA for anything hardware.


----------



## Murph (Aug 22, 2016)

After my previous post, I remembered a feature which was a significant part of my changing from IPFW to PF.  PF has named tables, which I greatly prefer over IPFW's numbered tables for cases where you have more than a few tables.  The numbered tables work fine in terms of doing the right thing at runtime, just more prone to confusion/errors/etc when managing things once you have more than a couple of them.


----------



## Phishfry (Aug 22, 2016)

Nat_RH said:


> Cisco ASA for anything hardware


You might want to think about that...

https://techcrunch.com/2016/08/17/c...nerabilities-disclosed-in-nsa-hack-are-legit/


----------



## Murph (Aug 22, 2016)

Phishfry said:


> You might want to think about that...
> 
> https://techcrunch.com/2016/08/17/c...nerabilities-disclosed-in-nsa-hack-are-legit/


Cisco stuff has its occasional vulnerabilities, just like everything else.  Those of us who like their products are generally not claiming some super special invulnerability, only that they are generally pretty good (and often quite expensive) products.  They are generally pretty good about acknowledging and publishing vulnerabilities, and fixing them pretty quickly; plus generally provide many years of security patch support.


----------



## gonzopancho (Aug 22, 2016)

Oko said:


> since pfSense uses non-free Apache 2 license.



Apache 2 is an accepted free and open source software license.  Your statement that it is "non-free" is in error.


----------



## Murph (Aug 22, 2016)

gonzopancho said:


> Apache 2 is an accepted free and open source software license.  Your statement that it is "non-free" is in error.


Yeah, the Apache license isn't one of the bad FOSS licenses, and it is certainly one of the most free licenses out there.  It's not quite as completely free-in-every-way as the BSD license, but it's actually not far off, with derivative works being able to choose their own license.  It's more free-as-in-freedom than GPL (that's not to label GPL as one of the "bad licenses", it's just restrictive (i.e. lacking full freedom) in a way that is tolerable for many purposes).

GPL people that hate the BSD license will probably hate the Apache license for similar reasons, but that's going to be due to software-socialist politics and not any lack of free-ness.

Given the commercial side to pfSense, its license is pretty much surprisingly free.


----------



## gonzopancho (Aug 22, 2016)

Murph said:


> Yeah, the Apache license isn't one of the bad FOSS licenses, and it is certainly one of the most free licenses out there.  It's not quite as completely free-in-every-way as the BSD license, but it's actually not far off, with derivative works being able to choose their own license.  It's more free-as-in-freedom than GPL (that's not to label GPL as one of the "bad licenses", it's just restrictive (i.e. lacking full freedom) in a way that is tolerable for many purposes).
> 
> GPL people that hate the BSD license will probably hate the Apache license for similar reasons, but that's going to be due to software-socialist politics and not any lack of free-ness.
> 
> Given the commercial side to pfSense, its license is pretty much surprisingly free.



Apache 2 is fully GPL-compliant, so the only people on that side who are annoyed don't understand that not everyone likes copyleft.

We don't use the BSD license largely because it doesn't defend our trademarks.

As for "surprisingly free", thank you.


----------



## a6h (Aug 23, 2016)

Fredkin's paradox.


----------



## wblock@ (Aug 25, 2016)

License arguments, should have known that was time to close the thread.


----------

