From owner-freebsd-net@FreeBSD.ORG Sun Apr 29 19:23:29 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BBCC616A400 for ; Sun, 29 Apr 2007 19:23:29 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outD.internet-mail-service.net (outD.internet-mail-service.net [216.240.47.227]) by mx1.freebsd.org (Postfix) with ESMTP id A653E13C45E for ; Sun, 29 Apr 2007 19:23:29 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Sun, 29 Apr 2007 11:50:15 -0700 Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id BF79B125B4C; Sun, 29 Apr 2007 12:23:28 -0700 (PDT) Message-ID: <4634F0B0.5060007@elischer.org> Date: Sun, 29 Apr 2007 12:23:28 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: Peter Jeremy References: <20070429112838.GH848@turion.vk2pj.dyndns.org> In-Reply-To: <20070429112838.GH848@turion.vk2pj.dyndns.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Jack Barnett , freebsd-net@freebsd.org Subject: Re: Firewall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Apr 2007 19:23:29 -0000 Peter Jeremy wrote: > On 2007-Apr-28 07:08:18 -0500, Jack Barnett wrote: >> I plan on using NAT so both internal networks can get to the internets. >> >> In the FreeBSD documentation I see there are 3 firewalls, IPFIREWALL, >> IPFILTER and PF (BF?). I just need to do basic filtering and just a few >> port forwards. Nothing to fancy. Which one would be recommended? > > Basically any of them will do what you want. The major differences are: > - IPFW (IPFIREWALL) is FreeBSD only. Note that the NAT is in userland. though that is just fine for your average DSL link.. it is in kernel in 7.0 > - IPfilter is the most portable. > - PF runs on *BSD. Note that (AFAIK) all proxies (eg FTP) are in userland. > > Userland NAT or proxies incur significantly higher overheads than > in-kernel equivalents (because the packets have to cross the > kernel/userland barrier twice). This may be an issue if you have a > very fast Internet connection and an underpowered firewall. >