Firewall chart

From FBSD_tips

Jump to: navigation, search

[edit] BSD Firewalling Options

Up to Admin

FreeBSD has a selection of 3 firewalls, IPFW, IPFILTER and PF. IPFW and IPFILTER predate PF, which was imported from OpenBSD. Each one has it's strengths. Recently PF seems to have gotten the most attention and it's development has been rapid. Many times questions come up regarding a feature of one of these firewalls or how to implement some configuration. Towards that end it is intended that this chart perform 2 functions.

  1. Serve as a cursory 'feature at a glance' chart
  2. Links to small self contained example configurations and explanations thereof.

To effectuate timely prototyping of the examples I have set up a virtual router and a pair of endpoint hosts in a virtual_network_testbed. This way proper bandwidth charts can be made by tapping the virtual network from "outside".

[edit] Chart

FEATURE IPFW IPFILTER PF v3.7 PF v4.1
OS SUPPORT FBSD, Solaris FBSD, OBSD
DUMMYNET PIPE Yes [1] No No No
DUMMYNET QUEUE Yes No Yes Yes
QUEUE ALTQ Yes No Yes Yes
SKIPTO Yes No No No
RULESETS Yes No No No
CONNECTION FORWARDING Yes Yes Yes Yes
IPTOS Yes No No No
IPTTL Yes No No No
IPPOS Yes No No No
IPVERSION Yes No No No
LAYER2 MATCHING Yes No No [2] No [2]
MAC ADDRESS FILTERING Yes No No No
TABLES Yes Example of use No Yes Yes
PROBABILITY (PROB) Yes No No No
COUNT Yes No Yes Yes
TEE Yes Yes Yes Yes
β€œME” SUPPORT Yes Yes Yes Yes
IPV6 Yes Yes Yes Yes
JAIL Yes No No No
IPSEC Yes No Yes Yes
IPTOS - LOW DELAY Yes Yes Yes Yes
IPTOS - THROUGHPUT Yes Yes Yes Yes
IPTOS - RELIABILITY Yes Yes Yes Yes
IPTOS - MINCOST Yes Yes No No
IPTOS - CONGESTION Yes Yes Yes Yes
UID / GID Yes No No? Yes
VERREVPATH Yes No No No
QUICK No Yes Yes Yes
KEEP STATE Yes Yes Yes Yes
MODULATE STATE No No Yes Yes
SYNPROXY STATE No No Yes Yes
OVERLOAD SUPPORT No No Yes Yes
OS FINGERPRINT MATCHING No No Yes Yes
LIMIT STATES PER RULE No No Yes Yes
ROUTE-TO No No Yes Yes
REPLY-TO No No Yes Yes
INTERFACE GROUPS No No Yes Yes
PACKET TAGGING No No Yes Yes
INTEGRATED NAT No No Yes Yes
NETWORK STATE SYNCING No No Yes Yes
PASS ARBITRARY TRAFFIC TO A DAEMON Yes? No Yes Yes
Macros
  1. ↑ Virtual network lab : ACK starvation on assymetric links
  2. ↑ 2.0 2.1 PF supports arbitrary mbuf tagging. FreeBSD may or may not add/remove these tags via if_bridge as they do in OpenBSD
Retrieved from "http://bsdtips.utcorp.net/mediawiki/index.php/Firewall_chart"
Personal tools