From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 11 16:52:56 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E049216A4CE for ; Sat, 11 Dec 2004 16:52:55 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15B3843D48 for ; Sat, 11 Dec 2004 16:52:55 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CdAUI-0002IW-00; Sat, 11 Dec 2004 17:52:54 +0100 Received: from [84.128.131.95] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CdAUH-0001BD-00; Sat, 11 Dec 2004 17:52:54 +0100 From: Max Laier To: freebsd-ipfw@freebsd.org Date: Sat, 11 Dec 2004 17:53:25 +0100 User-Agent: KMail/1.7.1 References: <6.2.0.7.1.20041211172253.02128d30@pop.phreaker.net> In-Reply-To: <6.2.0.7.1.20041211172253.02128d30@pop.phreaker.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1533716.SFRBSFcDeq"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412111753.32974.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Castl Troy Subject: Re: ipfw vs ipfilter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 16:52:56 -0000 --nextPart1533716.SFRBSFcDeq Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 11 December 2004 15:23, Castl Troy wrote: > Hello people, > > Can anybody help me with understanding the difference between ipfilter(ip= f) > and ipfirewall (ipfw). > Any link to docs or info will greatly help me. I use FreeBSD for almost 5 > years, but i used only ipfw for packet routing > and never use ipfilter for this. I wonder is it "internal" packet routing > mechanism or maybe it is just for compatibility with OpenBSD? Sorry if th= is > question is so stupid, but i am really dont know what ipfilter is, > man ipf did not help me with understanding the difference. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html There are quite a few differences between IPFW and IPF or PF (which is the= =20 third firewall software currently available). The short answer is that IPF= W=20 provides a lowlevel filter mostly focused on the IP-layer, while PF provide= s=20 also sophisticated filtering on the TCP/UDP layer. I am not saying it is n= ot=20 possible to filter UDP/TCP with IPFW, but not in the degree as it is possib= le=20 with PF. Included in this point is the focus on static(IPFW) vs. dynamic(P= =46)=20 rules. IPFW provides dynamic rules, but - when compared to PF - a very=20 limited version. One should note, that IPFW is very fast when evaluation=20 static rules, while PF is not as fast with static rules but gains a lot wit= h=20 dynamic rules. Finnally IPFW does not have a network address translation=20 unit in-kernel and needs to divert packets to userland utilities to perform= =20 NAT. PF does that in the kernel and provides - in conjunction with the=20 dynamic rules - very powerful means to do load balancing. The other obvious difference is the ruleset syntax. This is mostly a matte= r=20 of choice. I personally find that PF style rulesets are easier to read. As for PF vs. IPF, in my opinion IPF just provides a subset of what PF can = do. =20 As IPF in the tree is still version 3.x it is lacking quite a few of the ni= ce=20 new features - address pools e.g. So if you want to look at an alternative= =20 to IPFW you better look at PF. More information about PF, as mentioned in the handbook: http://www.openbsd.org/faq/pf/index.html =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1533716.SFRBSFcDeq Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBuyYMXyyEoT62BG0RAl7wAJ9emOCmg5BqJCWZMz6lmyYdIxuM1ACeNgQI DQOe4caMsxsHeTfoKcr+264= =3FA0 -----END PGP SIGNATURE----- --nextPart1533716.SFRBSFcDeq--