From owner-freebsd-questions Wed Jan 17 8:30:20 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mukappa.home.com (c576194-a.saltlk1.ut.home.com [24.20.97.5]) by hub.freebsd.org (Postfix) with ESMTP id 4F65137B69F for ; Wed, 17 Jan 2001 08:29:57 -0800 (PST) Received: from mukappa.home.com (onkdqt@localhost.home.com [127.0.0.1]) by mukappa.home.com (8.11.1/8.11.1) with SMTP id f0HGSko60789; Wed, 17 Jan 2001 09:28:47 -0700 (MST) (envelope-from mupi@mknet.org) From: Mike Porter Reply-To: mupi@mknet.org To: Kwangyul Seo , freebsd-questions Subject: Re: ipf/ipnatd vs ipfw/natd ? Date: Wed, 17 Jan 2001 09:28:46 -0700 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" References: <20010117122933.A11424@plus.or.kr> In-Reply-To: <20010117122933.A11424@plus.or.kr> MIME-Version: 1.0 Message-Id: <01011709284603.57385@mukappa.home.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 16 January 2001 20:29, Kwangyul Seo wrote: > > Hello, > > What's the main difference between ipfw/natd and ipf/ipnatd? > And where can I get detailed documents related to ipf/ipnatd? I'm sure there are other people more qualified to answer this, and if you need more technical details, or info on the implications of the various things I am saying, you may want to wait and read there messages. All I can tell you is what my experience with them has been. First, IN GENERAL, it is easier to set up and use ipfw and natd on freeBSD. Given that FreeBSD has as a stated mission "ease of use" (and does better than the other BSD's at it IMHO), this is consistent. For example, the rc.firewall script, run when you set firewall_enable="YES" in /etc/rc.conf, uses ipfw, and comes preset with a bunch of rules. All you have to do is add your own IP address, and you are pretty much taken care of. natd is likewise easy to use, it's even included in rc.firewall so you can enable it from rc.conf (natd_enable="YES", natd_interface="") and you're done. Any packet coming into you system with a different IP than the one assigned to will be "translated" to match. OF course, there are a lot of additional options that you CAN use, but the basic use is pretty simple. IPF, on the other hand, sacrifices some of that ease of use, and exchanges it for a bit more power (though from a practical standpoint, how much more power you need is debateable). ipf compared to ipfw the biggest difference is that ipf uses kernel space, and ipfw performs its magic outside of that. I have found that even though ipf is a little more complex to use, once you get the hang of it, it is easier than ipfw to get the same level of functionality. Among other things, you can flush and reload the entire ruleset with one comand, rather than having to run ipfw xxx a bunch of times. granted that could be scripted, as rc.firewall (in fact, you can simply run rc.firewall again if you wish). For my money, though, the biggest difference lies in the difference between natd and ipnat. natd is very easy to use, but ipnat offers the ability to monitor your nat'd connections without haveing to re-start the nat process using the -v option (which also kills any running nat sessions in the process). ipnat also makes it easier to specify a range of addresses (useful, for example, when your ISP gives you 16 IP's instead of just one, but you have 32 computers and don't want to buy additional IPs..ratehr than translating all of your connections to a single IP (and essentially wasting the other 15) you can specify the whole range. It also APPEARS to work better with IPSec becuase it 1) has better ability to detect when a connection is over 2) tries to not reasssign the port if it can help it and 3) frees the port/ip address pair much sooner than natd so it can be reused (IPsec tunnels from a host on the private network are a major PITA, but ipnat works better than natd. Supposedly some work was being done on libalias which would "fix" that in natd, but as yet I haven't seen it happen). There was a thread discussing some of the differences from a more technical standpoint a while back on the -stable list; I would recommend that you search the archives there if you need more info. mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjplyD4ACgkQZ7GovTQbIm6UfwCeL5vf0n3E870MNyTxZSfTmmYY WYoAn0Ei/axoJXvQO0Yc/rYzxZrxGWVw =WLW5 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message