From owner-freebsd-questions  Thu Aug 29  0:43:10 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 30E0837B400
	for <freebsd-questions@freebsd.org>; Thu, 29 Aug 2002 00:43:08 -0700 (PDT)
Received: from web20301.mail.yahoo.com (web20301.mail.yahoo.com [216.136.226.82])
	by mx1.FreeBSD.org (Postfix) with SMTP id DE6F843E65
	for <freebsd-questions@freebsd.org>; Thu, 29 Aug 2002 00:43:07 -0700 (PDT)
	(envelope-from magudexter@yahoo.com)
Message-ID: <20020829074307.47784.qmail@web20301.mail.yahoo.com>
Received: from [212.93.128.97] by web20301.mail.yahoo.com via HTTP; Thu, 29 Aug 2002 00:43:07 PDT
Date: Thu, 29 Aug 2002 00:43:07 -0700 (PDT)
From: gica gica <magudexter@yahoo.com>
Subject: general questions on nat and ipfw (vs. pf/ and ipf/ipnat)
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello!

Even though I use FreeBSD on almost every machine in
the lan the gateways are OpenBSD. Of course, there are
some advantages to this but the main reason for this
is their firewall / nat tool i.e. PF.

To ease maintenance and in hope to achieve better
results I decided to switch them also to FreeBSD.
Still even though the ipfw has about the same
qualities as the pf firewall counter part, the natd
looks to me like a poor choice.

I have searched the net in order to find some
benchmarks on these firewalls but I found some only on
ipf and pf. Assuming that they have about the same
ratio I want to ask you guys about the natd and ipfw.

I am not sure about the ipfw stateful implementation.
As far as I know stateful rules are something "new" to
ipfw(actually not so new - since 4.0 I recall) and
they don't quite fit into the old natd architecture.

Plus a kernel option to do the NAT is more performant
and secure than having a process (like natd) to do
that. 

The ipf/ipnat package is a possibility but I choose
ipfw because it has the rules (pipes) to allow/deny
traffic to users/hosts. Still, I rely heavily on NAT
and I want to make sure that natd is good choice.

Thank you,
    Costin

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message