Date: Wed, 8 May 2002 01:55:39 -0700 (PDT) From: "Nielsen" <nielsen@memberwebs.com> To: "Tom Limoncelli" <tal@lumeta.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: ipf vs. ipfw Message-ID: <20020508085539.0500437B405@hub.freebsd.org> References: <3CD8558E.2FA68C36@lumeta.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I use ipf, and recently some people have asked me about ipfw that I > couldn't answer. Hopefully people on this list can enlighten me. I use both, on the same machines (!). There are features that I need from both. > Are ipf and ipfw different interfaces to the same in-kernel filtering > mechanism? It doesn't look like it is, but I'd like that confirmed. Nope, totally different. In my experience ipf (and related ipnat) seem to go deeper into the kernel and play more tricks. In cases they bypass portions of the normal routing etc... I prefer ipnat (to natd) for NAT as it's all done in kernel mode. ipfw has dummynet and all that. Also the forwarding mechanism (which we use here for source based routing) is cleaner there in my opinion. ipf has a more complete syntax for the firewall. It also makes it easier to add and remove rules at will without knowing the previous structure of the firewall. We use this for jails a lot. > Why does FreeBSD have both? Is it because ipf is generic (ported to > Solaris, IRIX, OpenBSD, etc) and ipfw is specifically designed for > FreeBSD? That's what I thought. It's nice to have a choice too. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020508085539.0500437B405>