Date: Mon, 30 Apr 2007 10:58:18 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Peter Jeremy <peterjeremy@optushome.com.au> Cc: Jack Barnett <jackbarnett@gmail.com>, freebsd-net@freebsd.org Subject: Re: Firewall Message-ID: <20070430105659.C37507@fledge.watson.org> In-Reply-To: <20070429112838.GH848@turion.vk2pj.dyndns.org> References: <dedb607c0704280508nf2c071dh2f76967999f68696@mail.gmail.com> <20070429112838.GH848@turion.vk2pj.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 29 Apr 2007, Peter Jeremy wrote: > On 2007-Apr-28 07:08:18 -0500, Jack Barnett <jackbarnett@gmail.com> wrote: >> I plan on using NAT so both internal networks can get to the internets. >> >> In the FreeBSD documentation I see there are 3 firewalls, IPFIREWALL, >> IPFILTER and PF (BF?). I just need to do basic filtering and just a few >> port forwards. Nothing to fancy. Which one would be recommended? > > Basically any of them will do what you want. The major differences are: > - IPFW (IPFIREWALL) is FreeBSD only. Note that the NAT is in userland. One of the big selling points of IPFW is integration with DUMMYNET, which offers bandwidth management facilities not present in the other systems. I understand there may be efforts afoot to add DUMMYNET support to other firewall packages, but don't have any details. I have to say that DUMMYNET is the main selling point for ipfw on my servers -- being able to rate limit arbitrary IP addresses, port numbers, etc, both in terms of inbound and outbound traffic is invaluable. Robert N M Watson Computer Laboratory University of Cambridge > - IPfilter is the most portable. > - PF runs on *BSD. Note that (AFAIK) all proxies (eg FTP) are in userland. > > Userland NAT or proxies incur significantly higher overheads than > in-kernel equivalents (because the packets have to cross the > kernel/userland barrier twice). This may be an issue if you have a > very fast Internet connection and an underpowered firewall. > > -- > Peter Jeremy >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070430105659.C37507>