Date: Sat, 11 Dec 2004 17:53:25 +0100 From: Max Laier <max@love2party.net> To: freebsd-ipfw@freebsd.org Cc: Castl Troy <mastah@phreaker.net> Subject: Re: ipfw vs ipfilter Message-ID: <200412111753.32974.max@love2party.net> In-Reply-To: <6.2.0.7.1.20041211172253.02128d30@pop.phreaker.net>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Saturday 11 December 2004 15:23, Castl Troy wrote: > Hello people, > > Can anybody help me with understanding the difference between ipfilter(ipf) > and ipfirewall (ipfw). > Any link to docs or info will greatly help me. I use FreeBSD for almost 5 > years, but i used only ipfw for packet routing > and never use ipfilter for this. I wonder is it "internal" packet routing > mechanism or maybe it is just for compatibility with OpenBSD? Sorry if this > question is so stupid, but i am really dont know what ipfilter is, > man ipf did not help me with understanding the difference. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html There are quite a few differences between IPFW and IPF or PF (which is the third firewall software currently available). The short answer is that IPFW provides a lowlevel filter mostly focused on the IP-layer, while PF provides also sophisticated filtering on the TCP/UDP layer. I am not saying it is not possible to filter UDP/TCP with IPFW, but not in the degree as it is possible with PF. Included in this point is the focus on static(IPFW) vs. dynamic(PF) rules. IPFW provides dynamic rules, but - when compared to PF - a very limited version. One should note, that IPFW is very fast when evaluation static rules, while PF is not as fast with static rules but gains a lot with dynamic rules. Finnally IPFW does not have a network address translation unit in-kernel and needs to divert packets to userland utilities to perform NAT. PF does that in the kernel and provides - in conjunction with the dynamic rules - very powerful means to do load balancing. The other obvious difference is the ruleset syntax. This is mostly a matter of choice. I personally find that PF style rulesets are easier to read. As for PF vs. IPF, in my opinion IPF just provides a subset of what PF can do. As IPF in the tree is still version 3.x it is lacking quite a few of the nice new features - address pools e.g. So if you want to look at an alternative to IPFW you better look at PF. More information about PF, as mentioned in the handbook: http://www.openbsd.org/faq/pf/index.html -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBuyYMXyyEoT62BG0RAl7wAJ9emOCmg5BqJCWZMz6lmyYdIxuM1ACeNgQI DQOe4caMsxsHeTfoKcr+264= =3FA0 -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412111753.32974.max>