From owner-freebsd-questions Wed Nov 28 9:34:22 2001 Delivered-To: freebsd-questions@freebsd.org Received: from services.webwarrior.net (overlord-host99.dsl.visi.com [209.98.86.99]) by hub.freebsd.org (Postfix) with ESMTP id 8A59637B416 for ; Wed, 28 Nov 2001 09:34:17 -0800 (PST) Received: from twincat.vladsempire.net (hutch-619.hutchtel.net [206.10.68.147]) by services.webwarrior.net (Postfix) with ESMTP id 4A04B1EE for ; Wed, 28 Nov 2001 11:35:42 -0600 (CST) Received: by twincat.vladsempire.net (Postfix, from userid 1001) id 99169385C; Wed, 28 Nov 2001 11:30:13 +0000 (GMT) Date: Wed, 28 Nov 2001 11:30:13 +0000 From: Josh Paetzel To: Vikash Badal / PCS Cc: "Freebsd-Questions (E-mail)" Subject: Re: Which provides a better firewall (ipfw or ipf) Message-ID: <20011128113013.B550@twincat.vladsempire.net> Mail-Followup-To: Vikash Badal / PCS , "Freebsd-Questions (E-mail)" References: <501BF453CDCFD111A6E40080C83DAC04E4BB27@PSICS001> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <501BF453CDCFD111A6E40080C83DAC04E4BB27@PSICS001>; from VikashB@ComparexAfrica.co.za on Wed, Nov 28, 2001 at 03:15:53PM +0200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Nov 28, 2001 at 03:15:53PM +0200, Vikash Badal / PCS wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Greetings, > > I have been searching around and am still unsure as to which > one (ipfw or ipf) is the better solution to implement on a firewall. > > I have used ipfw before and understand it (mostly). > ipf was ported to FreeBSD recently and is it better than ipfw ? > > Which (based upon your experiences) is the better solution > > Thanks > Vikash Having used ipfw for quite a while I recently changed over to ipf. There were a couple of reasons that factored into my decision. #1 ipf is available on OpenBSD and NetBSD as well as FreeBSD, so familiarity with it enables a bit of portability that ipfw doesn't give you. #2 Ipf has the ability to keep two rulesets loaded, and allows you to easily switch between them. This is especially useful when changing or debugging rulesets on an active connection. The advantages that ipfw had over ipf in my case were: #1 I was familiar with the ipfw syntax, but not the ipf syntax. This can easily lead to a firewall that doesn't do what you expect it to. #2 ipfw uses a first match wins ruleset, whereas ipf is a last match wins setup. This can cause the ruleset to get quite bulky and hard to follow especially if it is a longish ruleset, as you end up using a lot of quick rules to keep common packets from going through every rule in the list. Hope that helps you make an informed decision. Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message