From owner-freebsd-small Tue Apr 24 12: 3:34 2001 Delivered-To: freebsd-small@freebsd.org Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197]) by hub.freebsd.org (Postfix) with ESMTP id 5D72B37B42C for ; Tue, 24 Apr 2001 12:03:31 -0700 (PDT) (envelope-from gunther@aurora.regenstrief.org) Received: from aurora.regenstrief.org (rgnout.regenstrief.org [134.68.31.38]) by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f3OJ3nA19963; Tue, 24 Apr 2001 14:03:49 -0500 Message-ID: <3AE5CDFE.9900D18B@aurora.regenstrief.org> Date: Tue, 24 Apr 2001 19:03:26 +0000 From: Gunther Schadow Organization: Regenstrief Institute for Health Care X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Luigi Rizzo , freebsd-small@freebsd.org Subject: ipfw vs. ipf (was: Re: PicoBSD's kernel, /dev/kmem, and the kernfs References: <200104241825.UAA32171@info.iet.unipi.it> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-small@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Luigi Rizzo wrote: > for once i should say: > > try ipfw, it does most of the things ipfilter does (except for > in-kernel nat) and something more (dummynet and fair queueing) Yes, I actually started with ipfw but I now migrate to ipf. I find ipfw and the DIVERT socket quite elegant, but still, I migrate. The reasons I migrate to ipf (and the reason you might want to think about this too) are: - ipf is accross all *BSD's - ipf is more likely to play well with IPsec - ipf is (arguably) more secure These points are actually dependent. The maintenance of ipf sounds pretty strong to me, so I'd trust it more. I am generally worried about too much splintering between the *BSDs, and I prefer what leaves me compatible. For PicoBSD issues there is a great benefit of staying somewhat compatible to NetBSD, namely NetBSD's support of other machine architectures. StrongARM or MIPS bases systems are often smaller and cheaper. The IPsec/ipf* integration is a concern of everyone who builds a VPN-gateway and firewall. The KAME people lean towards better IPsec SPD integration with ipf, because ipf is a platform used accross all *BSDs. Finally, for dummynet and fair queuing I prefer using ALTQ, for similar reasons. After I have survived the pain of saying goodbye to ipfw, I wonder why FreeBSD tries to make its own thing with ipfw instead of just riding the wave of ipf. regards -Gunther -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-small" in the body of the message