From owner-freebsd-security Tue Aug 21 3:55:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id A6CA137B407 for ; Tue, 21 Aug 2001 03:55:47 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id BE40D2DDD5C for ; Tue, 21 Aug 2001 05:55:46 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f7LAtiJ24251 for freebsd-security@freebsd.org; Tue, 21 Aug 2001 05:55:44 -0500 (CDT) (envelope-from hawkeyd) Date: Tue, 21 Aug 2001 05:55:44 -0500 From: D J Hawkey Jr To: freebsd-security@freebsd.org Subject: Re: ipf / ipfw Which to use? Message-ID: <20010821055544.A24214@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 21 Aug 2001 09:42:18 +0000, wkb@freebie.xs4all.nl wrote: > On Tue, Aug 21, 2001 at 11:34:36AM +0200, Carroll, D. (Danny) wrote: > > I've been playing with both of these and I was wondering why are both > > available? > > They *seem* to do almost the same thing although ipfw is much more > > *tweakable*... > > > > What's the difference between the two and how should I decide which I > > should be using...? > > Largely it is a matter of taste. Ipfilter is multiplatform, ipfw is > FreeBSD-only. You can also combine the 2 (e.g. if you want IPfilter and > dummynet at the same time). It's also a matter of efficiency; ipfilter does it all in the kernel, as opposed to the packets having to go to userland and back for 'ipfw' to play with them. It therefore seems to me ipfilter might be more secure, as it can't be compromised by userland? Personally, I think ipfilter more "tweakable" and/or capable, but that's just my opinion. Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message