From owner-freebsd-hackers Wed Aug 14 04:49:51 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA24960 for hackers-outgoing; Wed, 14 Aug 1996 04:49:51 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id EAA24955 for ; Wed, 14 Aug 1996 04:49:48 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id EAA14395 for ; Wed, 14 Aug 1996 04:49:30 -0700 (PDT) To: hackers@freebsd.org Subject: ipfw vs ipfilter? Date: Wed, 14 Aug 1996 04:49:30 -0700 Message-ID: <14393.840023370@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I've been trying to implement a firewall for the past couple of days, and over the course of same have come to realize a few interesting things I didn't know (at least from direct experience) before: 1. ipfw is klunky. klunky interface, klunky syntax, klunky code. 2. ipfw has changed so much, and with so little regard for backwards-compatible command syntax, that many of the docs floating around for it do not even apply. 3. I've tried to implement a firewall with it using the available directions and so far I've sucessfully implemented the wall portion, it's just getting legitimate traffic through it that's not working. :-) This thing's ease-of-use factor could stand some real improvement. 4. Darren Reed's ipfilter software is well documented, supported, and runs on everything from Solaris to Linux to *BSD. It also has some interesting looking tools which have been written for it. 5. ipfilter's license is very relaxed. There's no reason we couldn't bundle it. 6. If I get this firewall up and running easily with ipfilter (and the Jury's still out on that), you can expect to hear me chanting "down with ipfw! up with ipfilter!" in the near future. :-) Jordan