Date: Tue, 29 Jun 1999 21:04:05 +1200 From: "Dan Langille" <junkmale@xtra.co.nz> To: "Art Neilson, KH7PZ" <art@hawaii.rr.com> Cc: freebsd-questions@FreeBSD.ORG Subject: ipfilter vs ipfw (was Re: tcp_wrappers) Message-ID: <19990629090654.GLCL112692.mta2-rme@wocker> In-Reply-To: <3.0.6.32.19990628190217.032dd6b0@clients1.hawaii.rr.com> References: <19990627230044.HINL1400.mta2-rme@wocker>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28 Jun 99, at 19:02, Art Neilson, KH7PZ wrote: > OK so Dan, while looking around on the website you mentioned I > found a section regarding ipnat. > > http://www.freebsddiary.org/freebsd/ipnat.htm > > This page describes how to do NAT via the ipfilter kernel module > or LKM. How does this differ from using natd? Other than maybe > performance? Do you gain any features or other benefits by using > ipfilter nat vs. natd nat? I'm currently using natd so am interested > if the ipfilter method is better. I, personally, think ipfilter (ipf) is a much more robust product. I have no proof of that. Merely anecdotes from those that use ipf. One feature within ipf that I think is worth mentioning is the rule group. This is a great short-hand way of ensuring that rules stick together where they should stick together. For example, the following is my first couple of rules: block in log on ed0 all head 100 block out log on ed0 all head 150 This effectively blocks all traffic on ed0. Later on you see stuff like this: pass in quick proto tcp from any to any port = www keep state group 100 pass in quick proto tcp from any to any port = telnet keep state group 100 pass in quick proto tcp from any to any port = ssh keep state group 100 pass in quick proto tcp/udp from any to any port = domain keep state group 100 All of these relate to traffic coming in on ed0. Similary, the following stops stops those private addresses from coming in on ed0: # # Deny reserved addresses. # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 block in log quick from 172.16.0.0/12 to any group 100 Perhaps others with more technical knowledge of ipf can jump in here and tell you move about that. -- Dan Langille - DVL Software Limited The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990629090654.GLCL112692.mta2-rme>