From owner-freebsd-security Tue Aug 21 4: 0:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (dialmess.nanolink.com [217.75.135.246]) by hub.freebsd.org (Postfix) with SMTP id AEF5037B40F for ; Tue, 21 Aug 2001 04:00:08 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 10512 invoked by uid 1000); 21 Aug 2001 10:58:39 -0000 Date: Tue, 21 Aug 2001 13:58:39 +0300 From: Peter Pentchev To: D J Hawkey Jr Cc: freebsd-security@freebsd.org Subject: Re: ipf / ipfw Which to use? Message-ID: <20010821135839.F7824@ringworld.oblivion.bg> Mail-Followup-To: D J Hawkey Jr , freebsd-security@freebsd.org References: <20010821055544.A24214@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010821055544.A24214@sheol.localdomain>; from hawkeyd@visi.com on Tue, Aug 21, 2001 at 05:55:44AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 21, 2001 at 05:55:44AM -0500, D J Hawkey Jr wrote: > > On 21 Aug 2001 09:42:18 +0000, wkb@freebie.xs4all.nl wrote: > > On Tue, Aug 21, 2001 at 11:34:36AM +0200, Carroll, D. (Danny) wrote: > > > I've been playing with both of these and I was wondering why are both > > > available? > > > They *seem* to do almost the same thing although ipfw is much more > > > *tweakable*... > > > > > > What's the difference between the two and how should I decide which I > > > should be using...? > > > > Largely it is a matter of taste. Ipfilter is multiplatform, ipfw is > > FreeBSD-only. You can also combine the 2 (e.g. if you want IPfilter and > > dummynet at the same time). > > It's also a matter of efficiency; ipfilter does it all in the kernel, as > opposed to the packets having to go to userland and back for 'ipfw' to > play with them. ipfw does not process packets in userland. natd, as used with ipfw, processes NAT'd (diverted) packets in userland. ipnat, as used with ipfilter, processes NAT'd (diverted) packets in the kernel. For bare firewall functionality, without NAT, ipfw and ipfilter should perform similarly. > > It therefore seems to me ipfilter might be more secure, as it can't be > compromised by userland? > Again, this only applies to NAT. > Personally, I think ipfilter more "tweakable" and/or capable, but that's > just my opinion. Both have their strong and weak points. G'luck, Peter -- I've heard that this sentence is a rumor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message