From owner-freebsd-stable Sun Dec 10 11:31:57 2000 From owner-freebsd-stable@FreeBSD.ORG Sun Dec 10 11:31:53 2000 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from smtp2.cluster.oleane.net (smtp2.cluster.oleane.net [195.25.12.17]) by hub.freebsd.org (Postfix) with ESMTP id F24BF37B401 for ; Sun, 10 Dec 2000 11:31:51 -0800 (PST) Received: from diabolic-cow.chatgris.net (dyn-1-1-025.Orl.dialup.oleane.fr [195.25.26.25]) by smtp2.cluster.oleane.net with ESMTP id eBAJVmO64289 for ; Sun, 10 Dec 2000 20:31:49 +0100 (CET) Received: by diabolic-cow.chatgris.net (Postfix, from userid 1000) id 293CA400; Sun, 10 Dec 2000 20:28:17 +0100 (CET) Date: Sun, 10 Dec 2000 20:28:17 +0100 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: freebsd-stable@freebsd.org Subject: Re: IPFIREWALL or IPFILTER? Message-ID: <20001210202817.C22773@diabolic-cow.chatgris.net> References: <00dd01c05e2e$e42a0700$0b6cffc8@infolink.com.br> <20001209112247.A22773@diabolic-cow.chatgris.net> <002301c062bd$2aeb0440$0b6cffc8@infolink.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <002301c062bd$2aeb0440$0b6cffc8@infolink.com.br>; from apina@infolink.com.br on Sun, Dec 10, 2000 at 01:23:36PM -0200 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Dec 10, 2000 at 01:23:36PM -0200, Antonio Carlos Pina wrote: > Hello, > > > > Besides that, I've seen a lot of people saying that IPFILTER is better > than > > > IPFW (faster, more powerful, etc) > > > > Don't know if it's faster, but IPFilter is definitely way more powerful. > > Could you tell us why ? Can you do statefull filtering of TCP, UDP and ICMP streams with ipfw ? (this includes icmp errors and fragmented packets [ADSL anyone ? ...]). Does the TCP state filtering engine in ipfw actually checks sequence numbers and window sizes ? Is there something like "block return-icmp-as-dest (port-unr) ..." in ipfw ? Is there a concept similiar to the head/group thing in ipfw ? Can you save/restore to/from disk filter and NAT state entries ? Can you redirect traffic to many internal boxes with a round-robin mechanism ? And last but not least, can you use the same rule set on a Solaris box, on {Free,Open,Net}BSD, on BSDi, on HPUX etc... > A lot of people here (including me) would like to know about > ipfilter... Check the ipfilter web site and the ipfilter how-to. -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message