From owner-freebsd-security  Wed May  8  1:55:41 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail.npubs.com (npubs.com [207.111.208.224])
	by hub.freebsd.org (Postfix) with ESMTP id 0500437B405
	for <freebsd-security@FreeBSD.ORG>; Wed,  8 May 2002 01:55:39 -0700 (PDT)
Received: 8.12.2-(Neptune)
Received: 8.12.2-(Venus)
Received: 8.12.2-(Neptune)
From: "Nielsen" <nielsen@memberwebs.com>
To: "Tom Limoncelli" <tal@lumeta.com>, <freebsd-security@FreeBSD.ORG>
References: <3CD8558E.2FA68C36@lumeta.com>
Subject: Re: ipf vs. ipfw
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20020508085539.0500437B405@hub.freebsd.org>
Date: Wed,  8 May 2002 01:55:39 -0700 (PDT)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> I use ipf, and recently some people have asked me about ipfw that I
> couldn't answer.  Hopefully people on this list can enlighten me.

I use both, on the same machines (!). There are features that I need from
both.

> Are ipf and ipfw different interfaces to the same in-kernel filtering
> mechanism?  It doesn't look like it is, but I'd like that confirmed.

Nope, totally different. In my experience ipf (and related ipnat) seem to go
deeper into the kernel and play more tricks. In cases they bypass portions
of the normal routing etc... I prefer ipnat (to natd) for NAT as it's all
done in kernel mode.

ipfw has dummynet and all that. Also the forwarding mechanism (which we use
here for source based routing) is cleaner there in my opinion.

ipf has a more complete syntax for the firewall. It also makes it easier to
add and remove rules at will without knowing the previous structure of the
firewall. We use this for jails a lot.

> Why does FreeBSD have both?  Is it because ipf is generic (ported to
> Solaris, IRIX, OpenBSD, etc) and ipfw is specifically designed for
> FreeBSD?

That's what I thought. It's nice to have a choice too.

Nate



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message