From owner-freebsd-questions Wed Dec 26 13:59:17 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by hub.freebsd.org (Postfix) with ESMTP id 028CD37B417 for ; Wed, 26 Dec 2001 13:59:02 -0800 (PST) Received: from there (213-187-161-69.dd.nextgentel.com [213.187.161.69]) by mail.broadpark.no (Postfix) with SMTP id C8EEC7F74; Wed, 26 Dec 2001 22:59:00 +0100 (MET) Content-Type: text/plain; charset="iso-8859-15" From: Kjell To: barbish@a1poweruser.com Subject: Re: ipf/IPFilter/ipnat vers ipfw/IPFW/nat Date: Wed, 26 Dec 2001 21:58:02 +0100 X-Mailer: KMail [version 1.3.1] References: In-Reply-To: Cc: questions@FreeBSD.ORG MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20011226215900.C8EEC7F74@mail.broadpark.no> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wednesday 26 December 2001 10:24 pm, you wrote: > I scanned the questions archives and sniped this info. > I would like to know if the views stated are correct. > Any other insight or background info would be great. > > Does the ipf port install as userland or kernel & how to force kernel? > Is there a package install for ipf or ipnat? > Where would I find the ipf and ipnat ports? > Where can I find info on ipnat? > What is the difference between nat and ipnat if both run in user land? > Does IPFilter have a built in nat function? > > > SNIPITS ABOUT ipf/IPFilter/ipnat > > ipf being the real time interactive control interface to Darren Reed's > IPFilter package. > ipf has to be compiled from ports. ipf runs as-is in userspace, and can be > compiled into the kernel. ipf is available on OpenBSD, NetBSD, Linux as > well as FreeBSD, so familiarity with it enables a bit of portability that > ipfw doesn't give you. ipf has the ability to keep two rule sets loaded, > and allows you to easily switch between them. This is especially useful > when changing or interactively debugging rule sets on an active connection. > > IPFilter is a fire walling package from Darren Reed. it runs entirely in > the kernel. It comes distributed with the FreeBSD kernel source code in > /sys/contrib/ipfilter/netinet/. One of the real advantages of IPFilter is > that it does everything in kernel space, including NAT, so it's faster. The > IPFilter rule set syntax is different than IPFW. IPFilter rules are last > rule to match gets control, where IPFW it's the first rule to match gets > control. > > > IPFILTER is part of the GENERIC kernel, so no rebuild is required. You just > have to enable it in the rc.conf file. I just switched from ipfw to > ipfilter, > and I found ipfilter easier to set up. Using the ipfilter/ipnat combination > I > was able to implement filters I never managed to get working under > ipfw..... I am responsible for the above quote. It is not strictly correct. My current understanding is that by inserting the proper statement in rc.conf Ipfilter will be loaded as a loadable module. This is good for experimentation, but the recomended way is to compile Ipfilter as part of your kernel.... > > I use ipfilter/ipnat and like the way you can flush/edit the kernel filter > list > and the possibility to create nice config files for it. As I see it > ipfilter is > better handling large configurations. It also uses a technique which > processes the whole rule set which might be a bit confusing when you first > start using it. > I used ipfw & natd for a while but since these copy packets from kernel to > userland, and ipfilter/ipnat don't, ipfilter gives _way_ more performance > on a busy network. > > For home use I shouldn't care if I where you; if ipfw suits you and does > 'your > thing' use it. :) > > > > SNIPITS ABOUT ipfw/IPFW/NAT > > Is it true about capital letters and lower case letters for > ipfw meaning two different functions? > Is it true that IPFW runs in kernel land and all traffic has to be handled > twice > If NAT is used? > Where does one find the open and standard ipfw rules file? > Are there any sample rules files with comments to copy from? > > > > > IPFW is the FreeBSD *native* firewall. IPFW is part of the core FreeBSD OS. > IPFW are capital letters and references the native functions of FBSD. > ipfw lower case letters reference the interface to the IPFW FBSD native > firewall. No fire walling is going to run very efficiently in "user > space", passing packets out of the kernel for processing which is what natd > does, under ipfw. Keep in mind though that it will only filter IP packets. > All others will be passed unless you hack around that in > the kernel. The man pages are wrong on this point. > > How can I get ipfw log file with writing size of the transmitted packets? > Is it possible at all? Not with ipfw(8) logging as it exists in the base > system. > > the ipfw -f flush and other rules you list are only run if your rc.firewall > is run before you firewall.conf (or ipfw.rules). for instance, in rc.conf: > > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/firewall.conf" > > if you skip the call to rc.firewall, then you'll want to add the explicit > calls into ipfw.rules or firewall.conf. > > > I had natd running for a while but that caused a 100% cpu load when there > was much traffic, now with ipnat it never gets higher then 20% > Quite a collection of contradictions. My conclusion would be that you should not use this list to gain a basic understanding of how things function. But it is fine to get the answer to a specific question. To learn about firewalling, read a book like O'Reilly's Firewalls. To implement a firewall, read one of the fine articles on onlamp.org If you have specific questions during your implementation, ask the questions here. GL from Kjell/LA3SG To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message