From owner-freebsd-questions  Wed Oct 25  5:59: 8 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from smtp6.port.ru (mx6.port.ru [194.67.23.42])
	by hub.freebsd.org (Postfix) with ESMTP id 9045337B4C5
	for <FreeBSD-questions@freebsd.org>; Wed, 25 Oct 2000 05:59:02 -0700 (PDT)
Received: from [212.96.98.33] (helo=[212.96.98.33])
	by smtp6.port.ru with esmtp (Exim 3.14 #30)
	id 13oQ8l-00005y-00; Wed, 25 Oct 2000 16:58:48 +0400
Date: Wed, 25 Oct 2000 17:01:14 +0400 (MSD)
From: Jaroshenko Serge <jaroshenko@mail.ru>
X-Sender: jaroshenko@freebsd.merlin.ru
To: James Wilde <james.wilde@telia.com>
Cc: FreeBSD-questions@FreeBSD.ORG
Subject: Re: IPFW vs IP-Filter
In-Reply-To: <000601c03e6f$c9c1b0e0$8208a8c0@iqunlimited.net>
Message-ID: <Pine.BSF.4.21.0010251652450.27693-100000@freebsd.merlin.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG



On Wed, 25 Oct 2000, James Wilde wrote:

> I've checked the handbook and other sources on IPFW and IP-Filter and I
> would appreciate some comments on the two.
> 
> I assume that one uses either/or and not both.  IPFW is compiled into the
> kernel but IP-Filter runs as an application.  

ipfilter is compiled into kernel -  see LINT :

options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #print information about
                                        # dropped packets
options         IPFIREWALL_FORWARD      #enable transparent proxy support
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPDIVERT                #divert sockets
options         IPFILTER                #ipfilter support
options         IPFILTER_LOG            #ipfilter logging
options         IPSTEALTH               #support for stealth forwarding


> I don't know if there is any
> advantage or disadvantage in this.  I have always seen IP-Filter as being
> the richer in functionality with its statefulness and extra keywords, for
> example, the 'quick' keyword.
> 
> My filter of choice therefore has hitherto been IP-Filter.  Is there
> anything I am missing?  What are the pros and cons of the two alternatives -
> and, in fact, any others that the panel would like to consider.

What packet filter install - your choice!

I use ipfilter-3.4.11 - in this version nat work correct for
M$ IExploder5 ftp protocol.


Sorry for bad english!
Best regards!
Serge.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message