# What is the best firewall?



## douglasfim (Sep 1, 2010)

What is the best firewall?

wondered what the best firewall: IPFW, PF or IPF

what advantage of each, which is more advisable to use?

which one is in constant development and that will last a long time?

example:

equal ipchains Linux that is not used


----------



## SirDice (Sep 1, 2010)

douglasfim said:
			
		

> What is the best firewall?


That's highly subjective.



> wondered what the best firewall: IPFW, PF or IPF


Try them all, see which one _you_ like.



> what advantage of each, which is more advisable to use?


Without knowing what your requirements are nobody will be able to answer this in any meaningful way.



> which one is in constant development and that will last a long time?


They all are.


----------



## DutchDaemon (Sep 1, 2010)

Well, maybe not IPF anymore?


----------



## douglasfim (Sep 1, 2010)

I am newbie in this, I'm looking for some study and will use at home and then also on servers


----------



## wblock@ (Sep 1, 2010)

pf is newer and has some very nice features.  NAT is built in.  IPFW is older but supposed to be somewhat/slightly faster, natd is separate.


----------



## SirDice (Sep 1, 2010)

douglasfim said:
			
		

> I am newbie in this


All the more reason to try them all.


----------



## anomie (Sep 1, 2010)

douglasfim said:
			
		

> I'm looking for some study



While I _strongly_ prefer pf(4) these days (mainly for ease of ruleset management), I'd argue that you will want to learn with something like ipfw(8) instead. It uses the far more common "first match wins" approach. 

Be sure to read here: Chapter 30 Firewalls

*And*: if your network-fu no good, you're going to need to get up to speed before you can really understand packet filtering.


----------



## SirDice (Sep 1, 2010)

anomie said:
			
		

> *And*: if your network-fu no good, you're going to need to get up to speed before you can really understand packet filtering.


+1 on that.

Without even the most basic understanding of TCP/IP you will have a very hard time understanding anything a firewall does.


----------



## douglasfim (Sep 1, 2010)

I heard tell that IPFW has a better filtering, but PF is more complete and that the IPF is easy and complete, so I'm very much in doubt

I intend to learn the three, but only the future, which is the most recommendable to start? I have knowledge in basic iptables, but I intend to study more systems FreeBSD


----------



## anomie (Sep 1, 2010)

@douglasfim: Read your own thread.  That's what we are discussing here.


----------



## romeor (Sep 1, 2010)

ipfw has kernel nat now, so in that mean pf is not better.
if you are going to study FreeBSD, than i advise IPFW, as IPF is at its end of time.
pf is more likely OpenBSD firewall and it is ported to FreeBSD so you won't be relly UP-TO-DATE with fixes and bugs.

but to be objective, the best firewall is the one you can configure to. so go ahead, give them all a try and decide.


----------



## douglasfim (Sep 1, 2010)

I had already begun to study IPFW, but I saw that many were using the PF

I know nothing of the FP so I came here to ask

FreeBSD will continue using IPFW?


----------



## Shamrock (Sep 1, 2010)

I started with IPFW, then used IPF and at last PF. For me PF is my favourite.
If you want to get more knowledge about PF try this book "The Book of PF".
But try yourself, check what you need and see if firewall you've chosen fill the bill.


----------



## aragon (Sep 1, 2010)

Ditch ipf.  Choose between ipfw and pf.  I prefer ipfw for small, simple rulesets, and pf for large rulesets.


----------



## phoenix (Sep 1, 2010)

wblock said:
			
		

> pf is newer and has some very nice features.  NAT is built in.  IPFW is older but supposed to be somewhat/slightly faster, natd is separate.



Incorrect.  IPFW has supported in-kernel NAT for at least 2 major releases of FreeBSD.  It was introduced around the time of FreeBSD 7.0.


----------



## phoenix (Sep 1, 2010)

douglasfim said:
			
		

> FreeBSD will continue using IPFW?



There are no plans to remove IPFW or PF from FreeBSD releases.

IPF may become deprecated in the future, as it's not always kept up-to-date on changes in FreeBSD, and has pretty much become replaced by PF.


----------



## phoenix (Sep 1, 2010)

douglasfim said:
			
		

> What is the best firewall?



That one that you know the best.     If you are starting with 0 knowledge, then it all depends on which on has more/better documentation.  And whether or not you can wrap your head around a last-match-wins ruleset (IPFW uses a first-match-wins ruleset; PF uses a last-match-wins ruleset with the option of making some rules final).

The other thing to keep in mind is that IPFW is developed on FreeBSD and is continuously updated as FreeBSD is updated.  PF is developed on OpenBSD and upgraded with every OpenBSD release.  Every now and then, PF is merged into FreeBSD.  Meaning, PF in FreeBSD will always be a couple versions behind what's available on OpenBSD; but IPFW will always be the latest version.


----------



## douglasfim (Sep 1, 2010)

hmmmm, interesting, I think I'll use IPFW, I already downloaded the OpenBSD when I install it I take a look at PF, but I intend to stay with FreeBSD, it meets all my needs

tips are welcome

thanks


----------



## wblock@ (Sep 1, 2010)

phoenix said:
			
		

> Incorrect.  IPFW has supported in-kernel NAT for at least 2 major releases of FreeBSD.  It was introduced around the time of FreeBSD 7.0.



That would have been about the time I switched to pf, I guess.


----------



## terminus (Sep 4, 2010)

IPFW is my favorite firewall for all the time what I'm using FreeBSD. I'm started with it and I'm happy with it so far.  
A little bit of IPFW advocacy from me:

- IPFW is SMP aware and gives you better performance (PF is not so good in this area AFAIK)
- IPFW can be used with Netgraph! It makes you able to build amaizing things (PF can't)
- IPFW nat can pass FTP and GRE "by default" (PF nat have limitations)
- IPFW is developed and supported by FreeBSD team with FreeBSD design in mind
- IPFW have simple, human readable syntax what is easy to understand/remember/use

IMHO


----------



## sk8harddiefast (Sep 4, 2010)

I prefer pfsense 
I you have an old computer, could be  done a very good firewall


----------



## rghq (Sep 5, 2010)

Hm, in the first place, the favorite firewall is "brain 2010" which is gonna be updated each year on a given date 

Second place is PF but generally I take more care of securing services that aren't filtered - e.g. HTTP server - than ignoring them just for having a firewall running.


----------



## triumdh (Sep 6, 2010)

From my experience, I would load both PF and IPFW until you find out which is best for your situation.
At a later stage you may find that you need traffic shaping from dummynet instead of altq
or some other such problem that would have to make you start from scratch.
Resist the urge to go with a pre-built like pfsense as it is quick to get running but you will probably have problems customizing it later.


----------

