From owner-freebsd-stable  Fri Aug 18 11: 5: 8 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from horst.bfd.com (horst.bfd.com [12.9.219.10])
	by hub.freebsd.org (Postfix) with ESMTP id CECB237B424
	for <freebsd-stable@FreeBSD.ORG>; Fri, 18 Aug 2000 11:05:05 -0700 (PDT)
Received: from HARLIE.bfd.com (bastion.bfd.com [12.9.219.14])
	by horst.bfd.com (8.10.0/8.10.0) with ESMTP id e7II4wi11420;
	Fri, 18 Aug 2000 11:04:58 -0700 (PDT)
Date: Fri, 18 Aug 2000 11:04:58 -0700 (PDT)
From: "Eric J. Schwertfeger" <ejs@bfd.com>
To: Shawn Barnhart <swb@grasslake.net>
Cc: freebsd-stable@FreeBSD.ORG
Subject: Re: ipfilter v. ipfw
In-Reply-To: <000f01c00939$0dd7b480$b8209fc0@marlowe>
Message-ID: <Pine.BSF.4.21.0008181054250.90214-100000@harlie.bfd.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 18 Aug 2000, Shawn Barnhart wrote:

> | Hmmm.  I do indeed have both "ipfilter" and "ipfw" support enabled in
> | my kernel.  However, I am currently using only "ipfw" firewall rules
> | (in /etc/rc.firewall).  I've been considering the idea of switching
> | over to the new "ipfilter" facility, but I haven't had time yet.
> 
> Is ipfilter newer/better/smarter/faster/etc than ipfw?  I've always been
> under the assumption that ipfw was the "built-in" packet filtering code
> and ipfilter was a kind of add-on filtering that wasn't as built-in.

I've got firewalls in place with each kind.  Personally, I find ipfw more
flexible, especially now that it can track states.  ipfw works on a first
match engine, ipfilter works on a last match engine (I don't know why, it
just means more work for the engine), though you can include an option to
each rule to make it act first match.

ipfilter has in-kernel NAT, whereas ipfw uses natd in userspace, so there
might be a performance benefit there, but ipfilter also doesn't have any
way to say "machine A nats to everything but net B" which really tripped
me up on one of our DMZ firewalls.  We're going to be replacing ipfilter
with ipfw on that machine when we upgrade it to 4.1, for that reason.

I don't think ipfilter supports anything like divert sockets, for that
matter.  Not a major issue, since the most common use for divert sockets
is natd, and ipfilter provides similar functionality.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message