FreeBSD has three different firewall packages built into the base system. They are:
IPFILTER (also known as IPF), IPFIREWALL (also known as IPFW), and OpenBSD's
PacketFilter (also known as PF). FreeBSD
also has two built in packages for traffic shaping (basically controlling bandwidth
usage): altq(4) and dummynet(4). Dummynet
has traditionally been closely tied with IPFW, and
ALTQ with PF.
Traffic shaping for IPFILTER can currently be done
with IPFILTER for NAT and filtering and IPFW with dummynet(4) or by using PF with ALTQ. IPFW, and PF
all use rules to control the access of packets to and from your system, although they go
about it different ways and have different rule syntaxes.
The reason that FreeBSD has multiple built in firewall packages is that different
people have different requirements and preferences. No single firewall package is the
best.
The author prefers IPFILTER because its stateful rules are much less complicated to
use in a NAT environment and it has a built in ftp
proxy that simplifies the rules to allow secure outbound FTP usage.
Since all firewalls are based on inspecting the values of selected packet control
fields, the creator of the firewall rulesets must have an understanding of how TCP/IP works, what the different values in the packet control
fields are and how these values are used in a normal session conversation. For a good
explanation go to: https://www.ipprimer.com/overview.cfm.
