From owner-freebsd-stable  Fri Aug 18 11:19: 4 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from mail.mdanderson.org (mail.mdacc.tmc.edu [143.111.87.47])
	by hub.freebsd.org (Postfix) with ESMTP id D4BF737B422
	for <freebsd-stable@FreeBSD.ORG>; Fri, 18 Aug 2000 11:18:28 -0700 (PDT)
Received: from jef-nt.mdacc.tmc.edu.mdacc.tmc.edu (jef-nt.mdacc.tmc.edu [143.111.64.202])
	by mail.mdanderson.org (8.9.1b+Sun/8.9.1) with SMTP id NAA02171
	for <freebsd-stable@FreeBSD.ORG>; Fri, 18 Aug 2000 13:15:19 -0500 (CDT)
From: Jonathan Fosburgh <syjef@mail.mdanderson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14749.32249.842000.944007@jef-nt.mdacc.tmc.edu>
Date: Fri, 18 Aug 2000 13:18:33 -0500 (GMT-6:00)
To: freebsd-stable@FreeBSD.ORG
Subject: Re: ipfilter v. ipfw
In-Reply-To: <20000818141256.A29131@pir.net>
References: <000f01c00939$0dd7b480$b8209fc0@marlowe>
	<Pine.BSF.4.21.0008181054250.90214-100000@harlie.bfd.com>
	<20000818141256.A29131@pir.net>
X-Mailer: VM 6.72 under 21.1 (patch 8) "Bryce Canyon" XEmacs Lucid
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Peter Radcliffe writes:
 > "Eric J. Schwertfeger" <ejs@bfd.com> probably said:
 > > I've got firewalls in place with each kind.  Personally, I find ipfw more
 > > flexible, especially now that it can track states.  ipfw works on a first
 > > match engine, ipfilter works on a last match engine (I don't know why, it
 > > just means more work for the engine), though you can include an option to
 > > each rule to make it act first match.
 > 
 > I found ipfw far too limiting, state tracking or otherwise. I do
 > use keep state in ipfilter quite happily.
 > 
 > It also has a side advantage of being platform independant - I can use
 > the same rule files on my FreeBSD boxes and my Solaris boxes.
 > 
 > P.
 > 
 > -- 
 > pir                  pir@pir.net                    pir@net.tufts.edu
 > 
 > 
 > 
 > To Unsubscribe: send mail to majordomo@FreeBSD.org
 > with "unsubscribe freebsd-stable" in the body of the message
 > 
I personally find ipfilter to be a lot easier to configure. I was
never to create a firewall with ipfw that I could get out of. :( My
ipfilter firewall works just fine (though it does have some problems
when I go to single-user mode and then come back up, but I can fix
that by going with the start/stop options in my
/usr/local/etc/rc.d/ipf.sh. I find the rules for ipfilter easier to
understand conceptually than ipfw.
-- 
Jonathan Fosburgh
Open Systems
Communications and Computer Services
MD Anderson Cancer Center
Houston, TX



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message