Date: Mon, 10 Jul 2000 17:52:44 -0700 (PDT) From: "Eric J. Schwertfeger" <ejs@bfd.com> To: Carlton Haycock <chaycock1@mindspring.com> Cc: "questions@freebsd.org" <questions@FreeBSD.ORG> Subject: Re: ipfilter vs ipfw Message-ID: <Pine.BSF.4.21.0007101747500.39116-100000@harlie.bfd.com> In-Reply-To: <200007110014.UAA31175@tisch.mail.mindspring.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 10 Jul 2000, Carlton Haycock wrote: > I am in the process of building a firewall using FreeBsd. I am aware of the firewall > built into the kernel (ipfw), but I also see alot of people talking about another package > called IPFILTER. I have seen comments stating that IPFILTER is better, but no one > has yet to say why or why they prefer it. I would be most appreciative if someone > could give a brief overview of the differences as far as functionality is concerned. > I have read the how-to's and stuff on FreeBsd Diary but can find nothing that does > a comparison of the two. Having done both, I can tell you that both work fine under most circumstances, but IPFILTER had one limitation that killed its use here. We have multiple nets in the RFC-reserved ranges, and a pseudo-DMZ between two firewalls. The outer firewall is only capable of packet filtering, no NAT, so the inner firewall must do the NAT for those nets behind the firewall that need transparent support to the outside world. The problem is, we don't want the nets behind the firewall to NAT to the DMZ machines for tracking purposes. Well, IPFilter can't do that, or at least it couldn't as of 3.2.???. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007101747500.39116-100000>