From owner-freebsd-questions@FreeBSD.ORG Wed Oct 18 15:11:44 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D66AA16A40F for ; Wed, 18 Oct 2006 15:11:44 +0000 (UTC) (envelope-from prvs=johnl=04399586ed@iecc.com) Received: from xuxa.iecc.com (xuxa.iecc.com [208.31.42.42]) by mx1.FreeBSD.org (Postfix) with SMTP id F17F243D5A for ; Wed, 18 Oct 2006 15:11:43 +0000 (GMT) (envelope-from prvs=johnl=04399586ed@iecc.com) Received: (qmail 1089 invoked from network); 18 Oct 2006 15:11:41 -0000 Received: from simone.iecc.com (208.31.42.47) by mail2.iecc.com with QMQP; 18 Oct 2006 15:11:41 -0000 Message-ID: <20061018151141.85327.qmail@simone.iecc.com> From: John Levine To: freebsd-questions@freebsd.org Date: 18 Oct 2006 15:10:44 GMT Organization: I.E.C.C., Trumansburg NY USA Subject: ipfw vs. ipf on a freebsd router X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 15:11:44 -0000 I'm putting together a freebsd router to sit between my LAN and a T1. The current router (still running BSD/OS) uses BSDI's ipfw, but that died when BSDI did. It's about as simple a routing job as one could ask, a T1 with a static address to a LAN with a static /24. I have a whole bunch of packet filtering rules on the current router to keep out nasty stuff based partly on port numbers but also a couple of hundred IP ranges from the SBL and elsewhere. I have enough IP addresses that I do not need to NAT. What are the relative merits of freebsd's ipf and ipfw? It looks like either can do the filtering I need to do. Any reason to choose one over the other? While I'm at it, should I turn on netgraph or just use the regular network stuff? R's, John