[wplug-bsd] firewalling in freebsd

Michael Semcheski lists at immuneit.com
Thu Mar 31 08:57:46 EST 2005

Duncan Hutty wrote:
> Rate each of pf, IPfilter, ipfw for learning curve (coming from
> iptables/netfilter), convenience and power/flexibility? Is one
> considered more 'standard freebsd'? Is one overwhelmingly more
> common?

While I haven't used iptables or ipfilter very much, I have set up ipfw
and pf firewalls.

To me, pf is the easy choice.   I have set up more than a handful of
OpenBSD firewalls using pf (and it looks like the FreeBSD port is pretty
true to the original)...

pf has some good userland utilities that make it more easy to setup and
troubleshoot things.  For instance, it creates a network interface
(pflog0) which you can monitor to see traffic that is being dumped by
your firewall in realtime.

pf also has some good utilities for creating more dynamic rulesets and
changing things on the fly, in my opinion.

The bottom line is that they are all stateful firewalls, and if you get
the hang of one, you should not have too much trouble switching (if you
see a feature or something neat in another firewall that you want).

I think ipfw is the most standard for FreeBSD, but pf has been quite a
hit since it was ported over.

More information about the wplug-bsd mailing list