Date: Tue, 30 Jan 2001 20:17:02 +0000 From: Jim Hatfield <jim@bedlam.demon.co.uk> To: freebsd-questions@freebsd.org Subject: ipfw vs ipf (again) Message-ID: <tt7e7t84lbmitdtkjtuu29ff56is6582rl@4ax.com>
next in thread | raw e-mail | index | archive | help
I've used ipfw on and off, but only for protecting servers. Now I'm building a firewall which will have NAT support, and I'm looking at the differences between ipfw and ipf. I've trawled the mailing lists but there are still a couple of things I'm not clear on. As far as I can see, ipf should offer better performance than ipfw because a) NAT is done entirely within the kernel, avoiding the need for a trip to userland and back and b) the grouping feature should reduce the number of rules any packet is checked against. It also seems very feature complete. However there are a couple of things I know can be done with ipfw but which I haven't been able to work out how to do with ipf, and I'd appreciate advice: - packet forwarding, in support of a transparent http proxy. I can't see an equivalent of ipfw fwd, which will change the next hop address but leave the packet untouched (unless it's the fastroute feature, though it doesn't seem intended for this). - selective NAT'ing. I want to only NAT packets which are headed to the Internet. Packets for our DMZ, on the "outside" interface of the router, and to our other offices via a VPN gateway, shouldn't be NAT'ed. ipfw makes this fairly easy but it didn't look so simple with ipf. Regards, Jim Hatfield To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?tt7e7t84lbmitdtkjtuu29ff56is6582rl>