Date: Wed, 29 Jan 2003 21:45:20 -0500 From: "Scott M. Nolde" <scott@smnolde.com> To: theob@za.uu.net Cc: freebsd-security@freebsd.org Subject: Re: The way forward Message-ID: <20030130024520.GJ83557@smnolde.com> In-Reply-To: <20030128085617.L167@woody.ops.uunet.co.za> References: <20030128085617.L167@woody.ops.uunet.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
theob@za.uu.net(theob@za.uu.net)@2003.01.28 08:59:27 +0000: > Hi List <snip> > Thanks Not to start a flame war either, but I like both and use both ipfw and ipf together. I use ipfw+dummynet for QoS and traffic shaping with a minimal ruleset to pretty much allow all. After the packets are processed by ipfw, they're passed to ipf which does the really hard stuff: stateful packet inspection and NAT. ipnat is nice because it's in kernel space and faster than natd. I also find that ipf has some nice tools and utilities you don't have with ipfw. I'm new to ipf, but using it isn't much different than ipfw, but I've been told by reliable sources that if you're handling lots of traffic and require stateful inspection then ipf is the way to go. Print the ipfw man page out as well as the ipf how-to. I've got copies of both. There's more info in both of those documents than my brain can handle on most days. I have a sample ipfw script which might help you in setting up a queuing and traffic-shaping packet pass-all packet filter. I use a version of this myself. Customize at will: https://www.smnolde.com/ipfw/ipfw-queue-bw-only Give ipf and ipfw a whirl and get the best out of both. I also hear there's AltQ coming to ipf in FreeBSD and there are patches for it, if you want to try it. -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030130024520.GJ83557>