From owner-freebsd-questions@FreeBSD.ORG Wed Oct 18 15:19:27 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6560216A407 for ; Wed, 18 Oct 2006 15:19:27 +0000 (UTC) (envelope-from js.lists@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAA3E43D64 for ; Wed, 18 Oct 2006 15:19:23 +0000 (GMT) (envelope-from js.lists@gmail.com) Received: by nf-out-0910.google.com with SMTP id p77so703028nfc for ; Wed, 18 Oct 2006 08:19:22 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=G4LJqDj6qt0TD0rZmWyXF15jsFBkK6P71dYLQ3BOHzHz6COVTxsQtx6YZH8lBQ5p3brHEWiqOqXVSwOHkNgFA+TaoVaQYNepoi0hw3qmzzbmtm3xer9rLW3a9WwFOasJYekCIgy/9yjbCLWS2VMxLx3ZdTeLFZnn1y7KospeuxY= Received: by 10.49.20.15 with SMTP id x15mr794907nfi; Wed, 18 Oct 2006 08:19:22 -0700 (PDT) Received: from ?10.1.2.10? ( [67.180.3.247]) by mx.google.com with ESMTP id i1sm1533886nfe.2006.10.18.08.19.21; Wed, 18 Oct 2006 08:19:21 -0700 (PDT) Message-ID: <453645F6.7030401@gmail.com> Date: Wed, 18 Oct 2006 08:19:18 -0700 From: Joe User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: John Levine References: <20061018151141.85327.qmail@simone.iecc.com> In-Reply-To: <20061018151141.85327.qmail@simone.iecc.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: ipfw vs. ipf on a freebsd router X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 15:19:27 -0000 John Levine wrote: > I'm putting together a freebsd router to sit between my LAN and a T1. > The current router (still running BSD/OS) uses BSDI's ipfw, but that > died when BSDI did. It's about as simple a routing job as one could > ask, a T1 with a static address to a LAN with a static /24. > > I have a whole bunch of packet filtering rules on the current router > to keep out nasty stuff based partly on port numbers but also a couple > of hundred IP ranges from the SBL and elsewhere. I have enough IP > addresses that I do not need to NAT. > > What are the relative merits of freebsd's ipf and ipfw? It looks like > either can do the filtering I need to do. Any reason to choose one > over the other? > Take a look at PF. It was developed by OpenBSD and ported to FreeBSD.