From owner-freebsd-security Wed Jan 29 18:45:26 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC90437B401 for ; Wed, 29 Jan 2003 18:45:23 -0800 (PST) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F35D43F79 for ; Wed, 29 Jan 2003 18:45:23 -0800 (PST) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 18e4he-000FIE-00; Wed, 29 Jan 2003 21:45:22 -0500 Received: from scott by bsd.smnolde.com with local (Exim 3.36 #1) id 18e4hc-000HU8-00; Wed, 29 Jan 2003 21:45:20 -0500 Date: Wed, 29 Jan 2003 21:45:20 -0500 From: "Scott M. Nolde" To: theob@za.uu.net Cc: freebsd-security@freebsd.org Subject: Re: The way forward Message-ID: <20030130024520.GJ83557@smnolde.com> References: <20030128085617.L167@woody.ops.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030128085617.L167@woody.ops.uunet.co.za> User-Agent: Mutt/1.4i X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org theob@za.uu.net(theob@za.uu.net)@2003.01.28 08:59:27 +0000: > Hi List > Thanks Not to start a flame war either, but I like both and use both ipfw and ipf together. I use ipfw+dummynet for QoS and traffic shaping with a minimal ruleset to pretty much allow all. After the packets are processed by ipfw, they're passed to ipf which does the really hard stuff: stateful packet inspection and NAT. ipnat is nice because it's in kernel space and faster than natd. I also find that ipf has some nice tools and utilities you don't have with ipfw. I'm new to ipf, but using it isn't much different than ipfw, but I've been told by reliable sources that if you're handling lots of traffic and require stateful inspection then ipf is the way to go. Print the ipfw man page out as well as the ipf how-to. I've got copies of both. There's more info in both of those documents than my brain can handle on most days. I have a sample ipfw script which might help you in setting up a queuing and traffic-shaping packet pass-all packet filter. I use a version of this myself. Customize at will: https://www.smnolde.com/ipfw/ipfw-queue-bw-only Give ipf and ipfw a whirl and get the best out of both. I also hear there's AltQ coming to ipf in FreeBSD and there are patches for it, if you want to try it. -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message