Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Nov 2001 11:30:13 +0000
From:      Josh Paetzel <friar_josh@webwarrior.net>
To:        Vikash Badal / PCS <VikashB@ComparexAfrica.co.za>
Cc:        "Freebsd-Questions (E-mail)" <freebsd-questions@FreeBSD.ORG>
Subject:   Re: Which provides a better firewall (ipfw or ipf)
Message-ID:  <20011128113013.B550@twincat.vladsempire.net>
In-Reply-To: <501BF453CDCFD111A6E40080C83DAC04E4BB27@PSICS001>; from VikashB@ComparexAfrica.co.za on Wed, Nov 28, 2001 at 03:15:53PM %2B0200
References:  <501BF453CDCFD111A6E40080C83DAC04E4BB27@PSICS001>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Nov 28, 2001 at 03:15:53PM +0200, Vikash Badal / PCS wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Greetings,
> 
> I have been searching around and am still unsure as to which
> one (ipfw or ipf) is the better solution to implement on a firewall.
> 
> I have used ipfw before and understand it (mostly).
> ipf was ported to FreeBSD recently and is it better than ipfw ?
> 
> Which (based upon your experiences) is the better solution
> 
> Thanks
> Vikash

Having used ipfw for quite a while I recently changed over to ipf.  
There were a couple of reasons that factored into my decision.

#1 ipf is available on OpenBSD and NetBSD as well as FreeBSD, so 
   familiarity with it enables a bit of portability that ipfw doesn't 
   give you.

#2 Ipf has the ability to keep two rulesets loaded, and allows you to 
   easily switch between them.  This is especially useful when 
   changing or debugging rulesets on an active connection.

The advantages that ipfw had over ipf in my case were:

#1 I was familiar with the ipfw syntax, but not the ipf syntax.  This 
   can easily lead to a firewall that doesn't do what you expect it 
   to.

#2 ipfw uses a first match wins ruleset, whereas ipf is a last match 
   wins setup.  This can cause the ruleset to get quite bulky 
   and hard to follow especially if it is a longish ruleset, as 
   you end up using a lot of quick rules to keep common packets 
   from going through every rule in the list.

Hope that helps you make an informed decision.

Josh
 




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011128113013.B550>