From owner-freebsd-questions Tue Jan 30 12:16:50 2001 Delivered-To: freebsd-questions@freebsd.org Received: from finch-post-11.mail.demon.net (finch-post-11.mail.demon.net [194.217.242.39]) by hub.freebsd.org (Postfix) with ESMTP id 34E3B37B684 for ; Tue, 30 Jan 2001 12:16:32 -0800 (PST) Received: from bedlam.demon.co.uk ([158.152.16.93]) by finch-post-11.mail.demon.net with smtp (Exim 2.12 #1) id 14NhCZ-000O8M-0B for freebsd-questions@freebsd.org; Tue, 30 Jan 2001 20:16:31 +0000 From: Jim Hatfield To: freebsd-questions@freebsd.org Subject: ipfw vs ipf (again) Date: Tue, 30 Jan 2001 20:17:02 +0000 Reply-To: jim@bedlam.demon.co.uk Message-ID: X-Mailer: Forte Agent 1.8/32.548 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've used ipfw on and off, but only for protecting servers. Now I'm building a firewall which will have NAT support, and I'm looking at the differences between ipfw and ipf. I've trawled the mailing lists but there are still a couple of things I'm not clear on. As far as I can see, ipf should offer better performance than ipfw because a) NAT is done entirely within the kernel, avoiding the need for a trip to userland and back and b) the grouping feature should reduce the number of rules any packet is checked against. It also seems very feature complete. However there are a couple of things I know can be done with ipfw but which I haven't been able to work out how to do with ipf, and I'd appreciate advice: - packet forwarding, in support of a transparent http proxy. I can't see an equivalent of ipfw fwd, which will change the next hop address but leave the packet untouched (unless it's the fastroute feature, though it doesn't seem intended for this). - selective NAT'ing. I want to only NAT packets which are headed to the Internet. Packets for our DMZ, on the "outside" interface of the router, and to our other offices via a VPN gateway, shouldn't be NAT'ed. ipfw makes this fairly easy but it didn't look so simple with ipf. Regards, Jim Hatfield To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message