From owner-freebsd-security Wed Mar 7 16:29:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id AAA3E37B719 for ; Wed, 7 Mar 2001 16:29:43 -0800 (PST) (envelope-from christopher@schulte.org) Received: from ronayne.schulte.org (nb-22.netbriefings.com [204.72.185.22]) by poontang.schulte.org (8.9.3/8.9.3) with ESMTP id SAA20711; Wed, 7 Mar 2001 18:29:24 -0600 (CST) (envelope-from christopher@schulte.org) Message-Id: <5.0.2.1.0.20010307181400.0336ed18@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 07 Mar 2001 18:29:10 -0600 To: Fernando Schapachnik , Nathan Dorfman From: Christopher Schulte Subject: Re: ipfw or ipf? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200103080011.VAA05148@ns1.via-net-works.net.ar> References: <20010307190222.A72795@rtfm.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:11 PM 3/7/2001 -0300, Fernando Schapachnik wrote: >On the other hand ipfw can do traffic shaping. On FreeBSD you can >build an "invisible" firewall with ipfw doing bridging. ipfw + dummynet + bridging is exactly what I use for my firewall. It's fast, stable, easy to manage, powerful and I'd recommend it to anyone wanting to secure a small network using FreeBSD and 2 NICs. Ipfw does has the ability to keep a tcp states. I can't speak for NAT or portability. I have used ipf on at least OpenBSD and Solaris. It probably can be compiled on many more. ipfw is beautiful - two nics just hop into promisc mode. One connects to the 'internal' network, the other to possibly a router or public switch. Then using the firewall/shaping rules defined with ipfw traffic is transparently passed (or dropped/rejected) from the external network to machines on the inside via software bridging. Not to mention, you can do sophisticated traffic limiting at the same time. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message