From owner-freebsd-questions@FreeBSD.ORG Fri May 2 07:57:57 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C767937B401 for ; Fri, 2 May 2003 07:57:57 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id C752443FA3 for ; Fri, 2 May 2003 07:57:53 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h42Evpw0013833 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 2 May 2003 15:57:51 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h42EvolO013832; Fri, 2 May 2003 15:57:50 +0100 (BST) (envelope-from matthew) Date: Fri, 2 May 2003 15:57:50 +0100 From: Matthew Seaman To: Vince Hoffman Message-ID: <20030502145750.GA13479@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Vince Hoffman , "'freebsd-questions@freebsd.org'" References: <3500515B75D9D311948800508BA37955014BDAB6@EX-LONDON> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline In-Reply-To: <3500515B75D9D311948800508BA37955014BDAB6@EX-LONDON> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-38.8 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT version=2.53 X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) cc: "'freebsd-questions@freebsd.org'" Subject: Re: firewalling choice X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 14:57:58 -0000 --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 02, 2003 at 02:19:25PM +0100, Vince Hoffman wrote: > Hi,=20 > i'm looking at implementing a freebsd (4.8-RELEASE) firewall. Since > Freebsd supports ipfw and ipf I was wondering if either one has a particu= lar > advantage over the other. Can anyone point me at a comparison/give me an > informed opinion ? This has become a FAQ on this list over the last few weeks. Unfortunately, there is no definitive answer as to which one is "better", nor is there huge disparity between the sizes of the constituencies that favour one over the other. Either ipfw or ipf will almost certainly do what you want: which one you choose is pretty much a matter of taste nowadays. Oh, there are anecdotal reports that one will out-perfom the other at a particular task, and that the other is better for something else, but for a normally loaded machine just doing packet filtering and/or NAT, the differences are probably not going to be significant. The biggest difference between the two from the user perspective is that ipfw(8) is a 'first match wins' type ruleset, whereas ipf(8) is 'last match wins'. Read the manual pages to find out which syntax suits you best. If you can't decide, toss a coin. In extremis, you can run *both* ipfw and ipf, but check the archives for details of how they interact and what order the rulesets get applied to packets in various situations. If you choose ipfw(8), do read the section in the man page about enabling ipfw2 support --- it offers some handy new syntax for writing rulesets and personally I think ipfw2 should be the default ipfw version in 4.x by now (as it is in FreeBSD 5.x). Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+sodudtESqEQa7a0RArjTAJ9IVyZStqh1r7b/e2tL2R0Mas50fACeNVt6 7Vsia34LAIyT8fMY4nDU0pM= =1xB0 -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z--