From owner-freebsd-isp@FreeBSD.ORG  Tue Sep 27 05:39:45 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5A18916A41F
	for <freebsd-isp@freebsd.org>; Tue, 27 Sep 2005 05:39:45 +0000 (GMT)
	(envelope-from lists@complx.LF.net)
Received: from complx.LF.net (complx.LF.net [212.9.190.63])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EE31A43D4C
	for <freebsd-isp@freebsd.org>; Tue, 27 Sep 2005 05:39:42 +0000 (GMT)
	(envelope-from lists@complx.LF.net)
Received: from lists by complx.LF.net with local (Exim 4.43)
	id 1EK8Bp-0009Tt-Ct; Tue, 27 Sep 2005 07:39:41 +0200
Date: Tue, 27 Sep 2005 07:39:41 +0200
From: Kurt Jaeger <lists@complx.LF.net>
To: Daniel Pocock <daniel@lvdx.com>
Message-ID: <20050927053941.GW62233@complx.LF.net>
References: <432EC4FF.4030706@lvdx.com> <20050919205757.GI62233@complx.LF.net>
	<432F3013.7090001@keystreams.com>
	<20050919214618.GJ62233@complx.LF.net>
	<20050919215605.GK62233@complx.LF.net>
	<432F4507.4020708@lvdx.com> <432F4A12.9090709@mac.com>
	<43386D0D.7000209@lvdx.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <43386D0D.7000209@lvdx.com>
Cc: freebsd-isp@freebsd.org
Subject: Filtering (was Re: FreeBSD, quagga (BGP) and 2950 VLANs)
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2005 05:39:45 -0000

Hello,

> I'm now starting to look at how to filter packets that I am forwarding, 
> to ensure that none of the people I connect to can use me as their 
> default route (unless I give them permission to do so).  The FreeBSD 
> docs mention three different packet filters - pf, ipfw and ipf.

We use ipfw on Freebsd. It's simple and it works and it's the
native approach. pf is a relevant alternative, because it's
very actively developed from the openbsd community.
ipf: Its very portable on other plattforms, but it looks a bit stale (?).

> Does any of these have specific benefits for a routing device that is 
> forwarding 99.9% of it's traffic to other hosts, or is it just a 
> question of personal preference?  The rules I intend to write are fairly 
> simple, and I don't need any state-based stuff.

If you start anew, maybe pf is the way to go.

-- 
MfG/Best regards, Kurt Jaeger                                  15 years to go !
LF.net GmbH        fon +49 711 90074-23  pi@LF.net  
Ruppmannstr. 27    fax +49 711 90074-33
D-70565 Stuttgart  mob +49 171 3101372