From owner-freebsd-stable Sat Oct 13 0:16:58 2001 Delivered-To: freebsd-stable@freebsd.org Received: from mail.XtremeDev.com (xtremedev.com [216.241.38.65]) by hub.freebsd.org (Postfix) with ESMTP id E260637B40F; Sat, 13 Oct 2001 00:16:45 -0700 (PDT) Received: from xtremedev.com (xtremedev.com [216.241.38.65]) by mail.XtremeDev.com (Postfix) with ESMTP id D366170614; Sat, 13 Oct 2001 01:16:44 -0600 (MDT) Date: Sat, 13 Oct 2001 01:16:44 -0600 (MDT) From: FreeBSD To: Steve Bernard Cc: freebsd-stable@FreeBSD.ORG, Subject: RE: IPFW or IPFILTER? In-Reply-To: Message-ID: <20011013011552.X75955-100000@Amber.XtremeDev.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Right. I never said it doesn't on OpenBSD. Only that ipf doesn't support bridging in FreeBSD. On Fri, 12 Oct 2001, Steve Bernard wrote: > OpenBSD does support bridging and more specifically it supports bridging > firewalls. > > From the bridge(4) man page: > > "The bridge device creates a logical link between two or more Ethernet > interfaces or encapsulation interfaces. This link between the interfaces > selectively forwards frames from each interface on the bridge to every other > interface on the bridge. A bridge can serve several services, including, > isolation of traffic between sets of machines so that traffic local to one > set of machines is not available on the wire of another set of machines, and > it can act as a transparent filter for ip(4) datagrams." > > Bridges use the 'bridge' pseudo-device and are configured using brconfig(8) > > Regards, > > Steve > > -----Original Message----- > From: owner-freebsd-stable@FreeBSD.ORG > [mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of FreeBSD > Sent: Friday, October 12, 2001 2:30 PM > To: Maine LOA List Admin (Brent Bailey) > Cc: Hartmann, O.; freebsd-stable@FreeBSD.ORG; > freebsd-questions@FreeBSD.ORG > Subject: Re: IPFW or IPFILTER? > > > IPFW has dummynet. ipf author suggests using AltQ. ipf also supports > round-robin port forwarding to multiple servers (and a little app to check > for downed servers etc) in ipnat if you run a cluster, and can port > forward a range of ports without separate rules each (iirc). ipf has also > been around much longer than ipfw in terms of development time, and is a > more mature code (as evident by ipfw's past sec issues). I've found myself > able to do quite a bit with ipf/ipnat, bimap/map helps a great deal. ipf > also has the distinction of being on all the BSD's (used to be used > exclusevely by OpenBSD as it's only firewall) and even on early 2.0.x > Linux kernels, as well as on Solaris. So if you know ipf rule syntax, you > are quaranteed to be useful on a good many UNIX systems. > > ipfw currently has bridging support in FreeBSD while ipf does not. This is > being worked on and should change fairly soon. ipfw has a tighter > integration with FreeBSD than ipf, which means also that it gets updated > more often, and less changes in FreeBSD break things with the firewall. > > If you require ipfw/dummynet features but prefer or require ipf/ipnat only > features, you can always combine them. I currently use ipfw/dummynet for > bandwidth shaping and ipf as my primary filter processing. Just remember > that ipfw gets processed first on incoming packets, then ipf. > > Performance is negligible unless you have hundreds or even tousands of > rules (which some do). Then the tree capabilities of ipf really shines, > not because it does the job it does, but because it makes really readable > rules. When I tried with ipfw's skipto, I was suddently reminded of the > goto statements in basic a long long time ago, and I had to cringe. > > > As a side note, OpenBSD is no longer including ipf in it's default > installs now, but is instead using pf, a new firewall being written. But > pf will use the same syntax rules as ipf, so you'd still be "guaranteed a > job" if you move OS's. > > > On Fri, 12 Oct 2001, Maine LOA List Admin (Brent Bailey) wrote: > > > Everything ive read on FBSD site...as well from experiance is that IPFW is > > more versitile...you can do more with it > > including traffic shaping .. "pipe & queue" & dummynet...as well as plain > > out better firewall than IPFILTER. again this is mostly > > opinion as far as speed IPFW is a hair slower than IPFILTER. ..but im > sure > > you wouldnt even notice the differrence.. > > I run 2 FBSD gateways machines running IPFW w/ NATD ...each gateway is > > supporting 100+ users and workstations > > each....and never had any issues with setting up for speed or > > stability...both FBSD machine have uptimes in excess of 200 days. > > plus the fact theres tons of "howto's " for IPFW and NAT. > > > > B > > ----- Original Message ----- > > From: "Hartmann, O." > > To: > > Cc: > > Sent: Friday, October 12, 2001 9:46 AM > > Subject: IPFW or IPFILTER? > > > > > > > Hello. > > > > > > Please do not understand this question as a question of what I believ > in, > > > it is simply a question of what to use for best performance. > > > > > > FreeBSD uses two filtering systems, ipfw and ipfilter and each of these > > > both systems has its own adavantages and disadvantages. ipfilter seems > to > > > be more sophisticated in how to write rules. > > > At the moment, we use ipfw around here due to the easy rule syntax. But > > > that is not that what should be the main argument. I want to ask for the > > > performance, mean the throughput/bandwith. Does anyone know something > > > about the bandwith of both filters? What are the pro and contras? > > > > > > Thanks, > > > Oliver > > > > > > -- > > > MfG > > > O. Hartmann > > > > > > ohartman@klima.physik.uni-mainz.de > > > ---------------------------------------------------------------- > > > IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) > > > ---------------------------------------------------------------- > > > Johannes Gutenberg Universitaet Mainz > > > Becherweg 21 > > > 55099 Mainz > > > > > > Tel: +496131/3924662 (Maschinenraum) > > > Tel: +496131/3924144 > > > FAX: +496131/3923532 > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-stable" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message