From owner-freebsd-chat  Sun Sep 16 23:46:47 2001
Delivered-To: freebsd-chat@freebsd.org
Received: from lariat.org (lariat.org [12.23.109.2])
	by hub.freebsd.org (Postfix) with ESMTP id BE08637B401
	for <chat@FreeBSD.ORG>; Sun, 16 Sep 2001 23:46:44 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id AAA25407;
	Mon, 17 Sep 2001 00:46:05 -0600 (MDT)
Message-Id: <4.3.2.7.2.20010917003434.046f6490@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Mon, 17 Sep 2001 00:45:39 -0600
To: Giorgos Keramidas <charon@labs.gr>,
	Jason Anthony Mifsud <jamifsud@superrpg.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: ipfw and ipf and pf
Cc: chat@FreeBSD.ORG
In-Reply-To: <20010915140313.A45993@hades.hell.gr>
References: <20010914232949.A45136@FATE>
 <20010914232949.A45136@FATE>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-chat@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-chat.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-chat>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-chat>
X-Loop: FreeBSD.org

At 05:03 AM 9/15/2001, Giorgos Keramidas wrote:

>You seem to be prejudiced on this matter.
>Why are you saying that ipf or pf[1] is more robust?

Many people think so. This may be because, for a long
time, ipfw did not have stateful packet examination -- and
the statefulness it now incorporates isn't as flexible as
ipf's. Also, the mechanism it uses for NAT -- "divert sockets" --
seems to send every packet on a trip through userland. This
can be inefficient under high loads.

As for pf: it's very much like ipf in terms of rule
syntax but is in a different place in the pipeline 
architecturally. 

>Both ipf and ipfw can be a descent firewall.  They have similar features, and
>what can be done in one of them, is also possible with the other for more or
>Less all their features.  There is on thing that I know ipfw does, which ipf
>cannot handle, and that it 'pipes'; a means of bandwidth-limiting.

True. However, to be fair, the other BSDs do provide different 
facilities for bandwidth limiting.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message