Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Dec 2001 21:58:02 +0100
From:      Kjell <kmidtset@c2i.net>
To:        barbish@a1poweruser.com
Cc:        questions@FreeBSD.ORG
Subject:   Re: ipf/IPFilter/ipnat  vers    ipfw/IPFW/nat
Message-ID:  <20011226215900.C8EEC7F74@mail.broadpark.no>
In-Reply-To: <LPBBIGIAAKKEOEJOLEGOAEHFCKAA.barbish@a1poweruser.com>
References:  <LPBBIGIAAKKEOEJOLEGOAEHFCKAA.barbish@a1poweruser.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 26 December 2001 10:24 pm, you wrote:
> I scanned the questions archives and sniped this info.
> I would like to know if the views stated are correct.
> Any other insight or background info would be great.
>
> Does the ipf port install as userland or kernel & how to force kernel?
> Is there a package install for ipf or ipnat?
> Where would I find the ipf and ipnat ports?
> Where can I find info on ipnat?
> What is the difference between nat and ipnat if both run in user land?
> Does IPFilter have a built in nat function?
>
>
> SNIPITS ABOUT ipf/IPFilter/ipnat
>
> ipf being the real time interactive control interface to Darren Reed's
> IPFilter package.
> ipf has to be compiled from ports. ipf runs as-is in userspace, and can be
> compiled into the kernel. ipf is available on OpenBSD, NetBSD, Linux as
> well as FreeBSD, so familiarity with it enables a bit of portability that
> ipfw doesn't give you. ipf has the ability to keep two rule sets loaded,
> and allows you to easily switch between them.  This is especially useful
> when changing or interactively debugging rule sets on an active connection.
>
> IPFilter is a fire walling package from Darren Reed. it runs entirely in
> the kernel. It comes distributed with the FreeBSD kernel source code in
> /sys/contrib/ipfilter/netinet/. One of the real advantages of IPFilter is
> that it does everything in kernel space, including NAT, so it's faster. The
> IPFilter rule set syntax is different than IPFW. IPFilter rules are last
> rule to match gets control, where IPFW it's the first rule to match gets
> control.
>
>
> IPFILTER is part of the GENERIC kernel, so no rebuild is required. You just
> have to enable it in the rc.conf file. I just switched from ipfw to
> ipfilter,
> and I found ipfilter easier to set up. Using the ipfilter/ipnat combination
> I
> was able to implement filters I never managed to get working under
> ipfw.....
I am responsible for the above quote. It is not strictly correct. My current 
understanding is that by inserting the proper statement in rc.conf Ipfilter 
will be loaded as a loadable module. This is good for experimentation, but 
the recomended way is to compile Ipfilter as part of your kernel....

>
> I use ipfilter/ipnat and like the way you can flush/edit the kernel filter
> list
> and the possibility to create nice config files for it. As I see it
> ipfilter is
> better handling large configurations. It also uses a technique which
> processes the whole rule set which might be a bit confusing when you first
> start using it.
> I used ipfw & natd for a while but since these copy packets from kernel to
> userland, and ipfilter/ipnat don't, ipfilter gives _way_ more performance
> on a busy network.
>
> For home use I shouldn't care if I where you; if ipfw suits you and does
> 'your
> thing' use it. :)
>
>
>
> SNIPITS ABOUT ipfw/IPFW/NAT
>
> Is it true about capital letters and lower case letters for
> ipfw meaning two different functions?
> Is it true that IPFW runs in kernel land and all traffic has to be handled
> twice
> If NAT is used?
> Where does one find the open and standard ipfw rules file?
> Are there any sample rules files with comments to copy from?
>
>
>
>
> IPFW is the FreeBSD *native* firewall. IPFW is part of the core FreeBSD OS.
> IPFW are capital letters and references the native functions of FBSD.
> ipfw lower case letters reference the interface to the IPFW FBSD native
> firewall.   No fire walling is going to run very efficiently in "user
> space", passing packets out of the kernel for processing which is what natd
> does, under ipfw. Keep in mind though that it will only filter IP packets.
> All others will be passed unless you hack around that in
> the kernel. The man pages are wrong on this point.
>
> How can I get ipfw log file with writing size of the transmitted packets?
> Is it possible at all? Not with ipfw(8) logging as it exists in the base
> system.
>
> the ipfw -f flush and other rules you list are only run if your rc.firewall
> is run before you firewall.conf (or ipfw.rules).  for instance, in rc.conf:
>
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall"
> firewall_type="/etc/firewall.conf"
>
> if you skip the call to rc.firewall, then you'll want to add the explicit
> calls into ipfw.rules or firewall.conf.
>
>
> I had natd running for a while but that caused a 100% cpu load when there
> was much traffic, now with ipnat it never gets higher then 20%
>
Quite a collection of contradictions. My conclusion would be that you should 
not use this list to gain a basic understanding of how things function. But 
it is fine to get the answer to a specific question. To learn about 
firewalling, read a book like O'Reilly's Firewalls. To implement a firewall, 
read one of the fine articles on onlamp.org If you have specific questions 
during your implementation, ask the questions here.

GL from Kjell/LA3SG


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011226215900.C8EEC7F74>