Date: Sat, 11 Dec 2004 17:53:25 +0100 From: Max Laier <max@love2party.net> To: freebsd-ipfw@freebsd.org Cc: Castl Troy <mastah@phreaker.net> Subject: Re: ipfw vs ipfilter Message-ID: <200412111753.32974.max@love2party.net> In-Reply-To: <6.2.0.7.1.20041211172253.02128d30@pop.phreaker.net> References: <6.2.0.7.1.20041211172253.02128d30@pop.phreaker.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1533716.SFRBSFcDeq Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 11 December 2004 15:23, Castl Troy wrote: > Hello people, > > Can anybody help me with understanding the difference between ipfilter(ip= f) > and ipfirewall (ipfw). > Any link to docs or info will greatly help me. I use FreeBSD for almost 5 > years, but i used only ipfw for packet routing > and never use ipfilter for this. I wonder is it "internal" packet routing > mechanism or maybe it is just for compatibility with OpenBSD? Sorry if th= is > question is so stupid, but i am really dont know what ipfilter is, > man ipf did not help me with understanding the difference. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html There are quite a few differences between IPFW and IPF or PF (which is the= =20 third firewall software currently available). The short answer is that IPF= W=20 provides a lowlevel filter mostly focused on the IP-layer, while PF provide= s=20 also sophisticated filtering on the TCP/UDP layer. I am not saying it is n= ot=20 possible to filter UDP/TCP with IPFW, but not in the degree as it is possib= le=20 with PF. Included in this point is the focus on static(IPFW) vs. dynamic(P= =46)=20 rules. IPFW provides dynamic rules, but - when compared to PF - a very=20 limited version. One should note, that IPFW is very fast when evaluation=20 static rules, while PF is not as fast with static rules but gains a lot wit= h=20 dynamic rules. Finnally IPFW does not have a network address translation=20 unit in-kernel and needs to divert packets to userland utilities to perform= =20 NAT. PF does that in the kernel and provides - in conjunction with the=20 dynamic rules - very powerful means to do load balancing. The other obvious difference is the ruleset syntax. This is mostly a matte= r=20 of choice. I personally find that PF style rulesets are easier to read. As for PF vs. IPF, in my opinion IPF just provides a subset of what PF can = do. =20 As IPF in the tree is still version 3.x it is lacking quite a few of the ni= ce=20 new features - address pools e.g. So if you want to look at an alternative= =20 to IPFW you better look at PF. More information about PF, as mentioned in the handbook: http://www.openbsd.org/faq/pf/index.html =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1533716.SFRBSFcDeq Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBuyYMXyyEoT62BG0RAl7wAJ9emOCmg5BqJCWZMz6lmyYdIxuM1ACeNgQI DQOe4caMsxsHeTfoKcr+264= =3FA0 -----END PGP SIGNATURE----- --nextPart1533716.SFRBSFcDeq--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412111753.32974.max>