shorewall极大简化了iptables的管理,然而与pf相比还是稍逊一筹,主要是shorewall的配置文件太多了。pf只需要一个配置文件,这要简洁得多。我认为它是世界上最优雅的防火墙配置设计。以lab为例:

需求

shorewall配置

pf配置

/etc/pf.conf
wan_if = eth0
vpn_if = tun0
lab_vpn_net = "10.8.0.0/24"
User1_vpn_net = "10.8.0.32/27"
corp_vpn_net = "10.8.0.64/27"

table <lab_net> { "192.168.33.0/24", "192.168.55.0/24"
                  "192.168.66.0/24", "192.168.88.0/24"
                  "192.168.100.0/24", "172.16.33.0/24"
}

###############
# 1:1 nat

pass on tun0 from 192.168.33.231 to any binat-to 10.8.0.2
pass on tun0 from 192.168.33.232 to any binat-to 10.8.0.3
pass on tun0 from 192.168.33.233 to any binat-to 10.8.0.4
pass on tun0 from 192.168.33.234 to any binat-to 10.8.0.5
pass on tun0 from 192.168.66.21 to any binat-to 10.8.0.6
pass on tun0 from 192.168.66.22 to any binat-to 10.8.0.7
pass on tun0 from 192.168.66.23 to any binat-to 10.8.0.8
pass on tun0 from 192.168.55.120 to any binat-to 10.8.0.9
pass on tun0 from 192.168.88.120 to any binat-to 10.8.0.10

###############
# masq

# lab中不需要用到masq,故以下配置被注释掉
# match out on $ext_if from !($vpn_if) to any nat-to ($vpn_if)

block all

###############
# rules

# wan2fw
permit proto { udp, tcp } from any to $wan_if port 655

# vpn2net
permit proto tcp from $User1_vpn_net to <lab_net> port { 22,80,443 }
permit from $corp_vpn_net to <lab_net>

# all2all
permit proto icmp all

pf.conf支持table、list,甚至嵌套,大大减少了rules的条数,易于维护。