From owner-freebsd-small Thu Sep 7 9:53:36 2000 Delivered-To: freebsd-small@freebsd.org Received: from c014.sfo.cp.net (c014-h001.c014.sfo.cp.net [209.228.12.65]) by hub.freebsd.org (Postfix) with SMTP id 4BA8C37B423 for ; Thu, 7 Sep 2000 09:53:34 -0700 (PDT) Received: (cpmta 12161 invoked from network); 7 Sep 2000 09:53:33 -0700 Received: from nohost080.encommerce.com (HELO wscatoneil.flashcom.net) (166.90.168.80) by smtp.flashcom.net (209.228.12.65) with SMTP; 7 Sep 2000 09:53:33 -0700 X-Sent: 7 Sep 2000 16:53:33 GMT Message-Id: <4.3.2.7.2.20000907094231.00e09ab0@mail.flashcom.net> X-Sender: bwana@mail.flashcom.net X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 07 Sep 2000 09:56:35 -0700 To: freebsd-small@freebsd.org From: Tim O'Neil Subject: Re: PicoBSD build request In-Reply-To: <200009071418.QAA28992@info.iet.unipi.it> References: <4.3.2.7.2.20000907070627.00b18270@mail.flashcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-small@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 07:18 AM 9/7/00, Luigi wrote: >i am not saying he does not have a point (but what are your motivations for >going with ipfilter instead ?) > >because it was easier for me to understand how to integrate dummynet >with it. It's one of those initial choices that one never finds >the energy/time to reconsider. > >I still think that the gap between ipfw and ipfilter is reducing. >We have stateful inspection now, and the other features (natd, what >else ?) are not that important to me, plus i am working on them (i >even had some in-kernel NAT working on ipfw back in march, lost >the code after a physical disk crash). Your absolutely right, ipfw IS easier to use. But that ease loses you functionality that in my case I found I absolutely had to have with IPF. And after I started using ipf I found it really isn't that bad. I can also sympathize when you mention "learning curve". But there are some things you simply have to knuckle down and do. At least in my case being able to build and admin a better than decent fire wall was one of those things. To answer your first question; "motivations", the deal was this: I have an ISP that is using fishy routers (either dhcp assigned ips, or something, its been a while) to serve my segment of their network. I couldn't get ipfw to work at all, it would write a cryptic message to the syslog, something about the ip subsystem couldn't "write the packet back." In searching through old BSD mail list archives I came across a little more detail, and that there would be no work around, other than asking my ISP to change their router policy. So I looked into fw alternatives and discovered ipf worked like a charm right out of the box. -Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-small" in the body of the message