From owner-freebsd-questions@FreeBSD.ORG Wed Oct 18 15:25:30 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABBE816A407 for ; Wed, 18 Oct 2006 15:25:30 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95F6943D49 for ; Wed, 18 Oct 2006 15:25:29 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (host5.bedc.ondsl.gr [62.103.39.229]) (authenticated bits=128) by igloo.linux.gr (8.13.8/8.13.8/Debian-2) with ESMTP id k9IFP7e7020539 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 18 Oct 2006 18:25:14 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.8/8.13.8) with ESMTP id k9IFPeF1024681; Wed, 18 Oct 2006 18:25:44 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.8/8.13.8/Submit) id k9IFPclE024680; Wed, 18 Oct 2006 18:25:38 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 18 Oct 2006 18:25:37 +0300 From: Giorgos Keramidas To: John Levine Message-ID: <20061018152537.GA23544@gothmog.pc> References: <20061018151141.85327.qmail@simone.iecc.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061018151141.85327.qmail@simone.iecc.com> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.576, required 5, AWL -0.18, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20, UNPARSEABLE_RELAY 0.00) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-questions@freebsd.org Subject: Re: ipfw vs. ipf on a freebsd router X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 15:25:30 -0000 On 2006-10-18 15:10, John Levine wrote: > I'm putting together a freebsd router to sit between my LAN and a T1. > The current router (still running BSD/OS) uses BSDI's ipfw, but that > died when BSDI did. It's about as simple a routing job as one could > ask, a T1 with a static address to a LAN with a static /24. > > I have a whole bunch of packet filtering rules on the current router > to keep out nasty stuff based partly on port numbers but also a couple > of hundred IP ranges from the SBL and elsewhere. I have enough IP > addresses that I do not need to NAT. > > What are the relative merits of freebsd's ipf and ipfw? It looks like > either can do the filtering I need to do. Any reason to choose one > over the other? For what it's worth, IPFW is also available on FreeBSD. I don't know how different the BSDi version of IPFW was, but it may be easier to use FreeBSD's IPFW -- at least at first. If reducing the pain of a transition from BSD/OS to FreeBSD is a worthy goal, I would recommend IPFW :) > While I'm at it, should I turn on netgraph or just use the regular > network stuff? Not necessarily. Do you really need it?