From owner-freebsd-net@FreeBSD.ORG Sun Apr 29 11:28:40 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4E6B416A401 for ; Sun, 29 Apr 2007 11:28:40 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (c220-239-3-125.belrs4.nsw.optusnet.com.au [220.239.3.125]) by mx1.freebsd.org (Postfix) with ESMTP id D362B13C458 for ; Sun, 29 Apr 2007 11:28:39 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by turion.vk2pj.dyndns.org (8.13.8/8.13.8) with ESMTP id l3TBScXh062196; Sun, 29 Apr 2007 21:28:38 +1000 (EST) (envelope-from peter@turion.vk2pj.dyndns.org) Received: (from peter@localhost) by turion.vk2pj.dyndns.org (8.13.8/8.13.8/Submit) id l3TBScHM062195; Sun, 29 Apr 2007 21:28:38 +1000 (EST) (envelope-from peter) Date: Sun, 29 Apr 2007 21:28:38 +1000 From: Peter Jeremy To: Jack Barnett Message-ID: <20070429112838.GH848@turion.vk2pj.dyndns.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YToU2i3Vx8H2dn7O" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.14 (2007-02-12) Cc: freebsd-net@freebsd.org Subject: Re: Firewall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Apr 2007 11:28:40 -0000 --YToU2i3Vx8H2dn7O Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2007-Apr-28 07:08:18 -0500, Jack Barnett wrote: >I plan on using NAT so both internal networks can get to the internets. > >In the FreeBSD documentation I see there are 3 firewalls, IPFIREWALL, >IPFILTER and PF (BF?). I just need to do basic filtering and just a few >port forwards. Nothing to fancy. Which one would be recommended? Basically any of them will do what you want. The major differences are: - IPFW (IPFIREWALL) is FreeBSD only. Note that the NAT is in userland. - IPfilter is the most portable. - PF runs on *BSD. Note that (AFAIK) all proxies (eg FTP) are in userland. Userland NAT or proxies incur significantly higher overheads than in-kernel equivalents (because the packets have to cross the kernel/userland barrier twice). This may be an issue if you have a very fast Internet connection and an underpowered firewall. --=20 Peter Jeremy --YToU2i3Vx8H2dn7O Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGNIFm/opHv/APuIcRAmUSAJ9LSTwOrd6UgUkt/6T22z5rzWyxhQCePnZz XxjiSLlImoIKGgkoqEa1A3o= =eKIG -----END PGP SIGNATURE----- --YToU2i3Vx8H2dn7O--