Date: Wed, 20 Jul 2005 15:33:47 +0200 From: Max Laier <max@love2party.net> To: freebsd-ipfw@freebsd.org Cc: Roger Grosswiler <roger@gwch.net> Subject: Re: Most wanted packet filter Message-ID: <200507201533.53008.max@love2party.net> In-Reply-To: <42267.62.2.21.164.1121863057.squirrel@www.gwch.net> References: <42267.62.2.21.164.1121863057.squirrel@www.gwch.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1417227.yvvrRnJhHJ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 20 July 2005 14:37, Roger Grosswiler wrote: > > Roger Grosswiler wrote: > >>Hi, > >> > >>i would like to know, which "firewall" is most wanted under freebsd. is > >> it > >>ipfw or is it ipf? > >> > >>i imagine, both have their advantages, but i would like to try first the > > most used because of support - poor rookie, i :-D > > > Don't forget about the third one, called pf. ;) > > It's a hard question. What does matter is which of them is best the *for > > You*. As for me I use ipf and ipfw together. I think ipf is very easy to > configure but ipfw has more sophisticated features, for instance it can > be used for bandwith controlling via dummynet facility. As for pf, I > don't know it. > > > Cheers, > > > > G=E1bor K=F6vesd=E1n > > Thanks Gabor, > > I thought so. What i read, i should prefer ipf. What i also would like to > know, whether there someting, the freebsd-world calls "standard"? I mean, > the title of this list is freebsd-ipfw ;-) There is a list called freebsd-pf@ as well where you will find support for = pf=20 related questions. IMO you have to decide a couple of things: 1) Which syntax is the most natural for you? Choices: IPFW vs. IPF/PF 2) What do you want to achieve? Choices: Fast packet pushing with little sanity checks as usual on an ISP=20 router vs. High level of sanity checks while giving up some performance. IPFW provides for the first, PF for the later. However, both can be=20 configured to provide high performance and both can be configured to provid= e=20 a high level of sanity checks - this reflects just what is the "natural"=20 configuration for the system. PF can check some things that IPFW can't and= =20 IPFW can provide pps-rates that PF will not get close to, but that are edge= =20 cases you probably don't have to deal with. Why not IPF? 1) It seems to be broken in RELENG_5 as several people report on=20 freebsd-stable@ There is an issue with SMP/PREEMPTION and no solution seem= s=20 to be worked on. 2) It's undermaintained (IMO) 3) It doesn't provide any benefit over PF http://www.openbsd.org/faq/pf/index.html is a really good guide to get star= ted=20 with PF, btw. IMHO PF is the best firewall system available for protecting networks as th= e=20 only firewall between clients and the internet. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1417227.yvvrRnJhHJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC3lLAXyyEoT62BG0RAngpAJ9r7NOthbJ3GJPSb6rKUC4Whlps8wCeOi6K w9+uUNoOlLOLi7Zp3weyDUY= =Po19 -----END PGP SIGNATURE----- --nextPart1417227.yvvrRnJhHJ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507201533.53008.max>