Other Choosing which firewall to use in 2021 - FreeBSD 13

decuser

decuser

OK. I've read man firewall and Chapter 31. Firewall and I'm still a bit uncertain about which firewall to choose. Here's my use case:

I have FreeBSD 13 installed on my Lenovo Thinkpad T-430. I alternate between the ethernet connection and wifi. Either way, I only use IPV4. I would like to be able to access the internet from the laptop and be able to ssh into the machine from my internal home network.

I'm not looking for how to configure the firewall, but rather how to choose between them. My read of things is that IPFW has been in FreeBSD forever and is quite powerful, PF is imported from OpenBSD and is maintained, but maybe not kept up to date with upstream developments, and IPFILTER is not all that. What's confusing is that the handbook lists PF first and IPFW second, but other sources ding PF and tout IPFW. What's the deal?
 
Try both .
I use ipfw.
Here is how my ruleset looks like,
Code: 
#ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
02000 check-state :default
03000 deny ip from 192.168.0.0/16 to any in via tun0
03010 deny ip from 172.16.0.0/12 to any in via tun0
03020 deny ip from 10.0.0.0/8 to any in via tun0
03030 deny ip from 127.0.0.0/8 to any in via tun0
03040 deny ip from 0.0.0.0/8 to any in via tun0
03050 deny ip from 169.254.0.0/16 to any in via tun0
03060 deny ip from 192.0.2.0/24 to any in via tun0
03070 deny ip from 204.152.64.0/23 to any in via tun0
03080 deny ip from 224.0.0.0/3 to any in via tun0
03100 deny ip from any to any frag offset in via tun0
03200 deny tcp from any to any established in via tun0
04030 allow tcp from any to any out via tun0 setup keep-state :default
04040 allow udp from any to any out via tun0 keep-state :default
04040 allow icmp from any to any out via tun0 keep-state :default
04050 allow tcp from 192.168.1.0/24 to any in via re0 setup keep-state :default
04050 allow tcp from any to 192.168.1.0/24 out via re0 setup keep-state :default
04060 allow udp from 192.168.1.0/24 to any in via re0 keep-state :default
04060 allow udp from any to 192.168.1.0/24 out via re0 keep-state :default
04060 allow icmp from any to 192.168.1.0/24 out via re0 keep-state :default
05000 reject log logamount 5 ip from any to any
06000 deny log logamount 5 ip from any to any
65535 deny ip from any to any
 
As I already stated in your other thread, you use the one you're more comfortable with. One key difference between IPFW and PF is whether the first or the last rule "wins". IMHO, PF rules are more readable and easier to write in a concise way, but that's just personal taste.
 
I too am pondering which firewall to implement for a simple web server, and have studied Chapter 31 of the Handbook.
In this forum it seems there's almost no discussion about IPFilter. It seems only IPFW and PF are mentioned.
Does this imply that IPF is not widely used ?
Or maybe IPF is so simple that nobody needs to discuss ?
 
ipfilter is on life support and hasn't been touched in years, syntax is similar to pf but not identical. I personally also prefer pf over ipfw due to syntax however both have pros and cons.
 
  • Like
Reactions: mer
bgroper said:
I too am pondering which firewall to implement for a simple web server, and have studied Chapter 31 of the Handbook.
In this forum it seems there's almost no discussion about IPFilter. It seems only IPFW and PF are mentioned.
Does this imply that IPF is not widely used ?
Or maybe IPF is so simple that nobody needs to discuss ?
Click to expand...
Why do You need firewall at all? It's pretty safety to go online, especially if you are behind NAT, just ssh into and do whatever you want. What rules do you want to implement exactly?
 
I would not be concerned that "pf in freebsd is not the same as pf in openbsd". I would be surprised if changes from openbsd don't eventually make it back to freebsd in some form.
Choosing which one? Flip a coin is a good start especially if you are looking at a "workstation firewall".
I agree that PF rules are easier to read, especially for complex rulesets and would prefer it for a device fronting a network.
 
blind0ne said:
Why do You need firewall at all? It's pretty safety to go online, especially if you are behind NAT, just ssh into and do whatever you want. What rules do you want to implement exactly?
Click to expand...
Our simple webserver does need its own firewall, regardless of any NAT. Firewall needed for fail2ban.

mer said:
Choosing which one? Flip a coin is a good start especially if you are looking at a "workstation firewall".
I agree that PF rules are easier to read, especially for complex rulesets and would prefer it for a device fronting a network.
Click to expand...
I just flipped the coin, and PF is probably a good choice, since its already in use at this location, in a pfSense appliance.

Thanks for replies.
 
bgroper said:
Our simple webserver does need its own firewall, regardless of any NAT. Firewall needed for fail2ban.


I just flipped the coin, and PF is probably a good choice, since its already in use at this location, in a pfSense appliance.

Thanks for replies.
Click to expand...
Don't even think about restarting this service)
 
Choosing a firewall is simple in FreeBSD, namely:

Ipfilter: forget that it exists. Now.
Pf: firewall of choice for everybody who likes configuration files which are easily humanly readable. So pretty much the default choice for most.
Ipfw: FreeBSD's native firewall. Does its jobs, though you need to wrap your brain harder around its configuration.

Since the feature set of Pf and Ipfw is not always exactly the same, sometimes the need for exact that feature missing in one firewall can be the deciding factor of choice.
 
Some claim ipfw scales/performs better with large rulesets and/or lots of traffic, this would be an advantage if true. It certainly doesn't affect me, I prefer the pretty readable and concise pf rules :)
 
blind0ne said:
Why do You need firewall at all? It's pretty safety to go online, especially if you are behind NAT, just ssh into and do whatever you want. What rules do you want to implement exactly?
Click to expand...
Because you can get caught by a scanner who's keeping their eyes peeled for installs that don't have firewalls in place. And once you're caught - get ready to do a complete re-install of your machine, and you'll be lucky if that's the only thing that happens to you. ?
 
regardless of your choice to implement (pf, ifpw, "Steve's greatest Firewall and Protection thing"), start out with block in drop on any upstream facing interface.
Workstation with a single interface to a network that goes to the internet? Block in drop eth0 by default. If there is state for an outbound state, that won't match.
 
I’ve just always used OpenBSD for over 20 years with PF mostly, I’ll admit it’s been quite a bit since I’ve done any of this but trying to get back into it and wondering if there are advantages to switching to FreeBSD?
 
My opinion:
It depends on what you want to do with it.
If you want a general purpose desktop either one works fine for that.
If you want a small footprint dedicated firewalling device, I'd opt for OpenBSD.
If you want to use ZFS, you have to use FreeBSD (or IllumOS or other Solaris derivative).
In general there may be some performance and hardware advantages in using FreeBSD, but for typical desktop usage, either one should work.
I'm not sure of the state of video drivers on OpenBSD (latest Intel, AMD, Nvidia) but on FreeBSD they seem to work fine (very latest high end AMD may be an issue).

So I'd start with the applications you want to use on a daily basis, on whatever hardware you want to use and go from there.
 
You must log in or register to reply here.
Back
Top