Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 11 Dec 2004 17:53:25 +0100
From:      Max Laier <max@love2party.net>
To:        freebsd-ipfw@freebsd.org
Cc:        Castl Troy <mastah@phreaker.net>
Subject:   Re: ipfw vs ipfilter
Message-ID:  <200412111753.32974.max@love2party.net>
In-Reply-To: <6.2.0.7.1.20041211172253.02128d30@pop.phreaker.net>
References:  <6.2.0.7.1.20041211172253.02128d30@pop.phreaker.net>

next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1533716.SFRBSFcDeq
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Saturday 11 December 2004 15:23, Castl Troy wrote:
> Hello people,
>
> Can anybody help me with understanding the difference between ipfilter(ip=
f)
> and ipfirewall (ipfw).
> Any link to docs or info will greatly help me. I use FreeBSD for almost 5
> years, but i used only ipfw for packet routing
> and never use ipfilter for this. I wonder is it "internal" packet routing
> mechanism or maybe it is just for compatibility with OpenBSD? Sorry if th=
is
> question is so stupid, but i am really dont know what ipfilter is,
> man ipf did not help me with understanding the difference.

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

There are quite a few differences between IPFW and IPF or PF (which is the=
=20
third firewall software currently available).  The short answer is that IPF=
W=20
provides a lowlevel filter mostly focused on the IP-layer, while PF provide=
s=20
also sophisticated filtering on the TCP/UDP layer.  I am not saying it is n=
ot=20
possible to filter UDP/TCP with IPFW, but not in the degree as it is possib=
le=20
with PF.  Included in this point is the focus on static(IPFW) vs. dynamic(P=
=46)=20
rules.  IPFW provides dynamic rules, but - when compared to PF - a very=20
limited version.  One should note, that IPFW is very fast when evaluation=20
static rules, while PF is not as fast with static rules but gains a lot wit=
h=20
dynamic rules.  Finnally IPFW does not have a network address translation=20
unit in-kernel and needs to divert packets to userland utilities to perform=
=20
NAT.  PF does that in the kernel and provides - in conjunction with the=20
dynamic rules - very powerful means to do load balancing.

The other obvious difference is the ruleset syntax.  This is mostly a matte=
r=20
of choice.  I personally find that PF style rulesets are easier to read.

As for PF vs. IPF, in my opinion IPF just provides a subset of what PF can =
do. =20
As IPF in the tree is still version 3.x it is lacking quite a few of the ni=
ce=20
new features - address pools e.g.  So if you want to look at an alternative=
=20
to IPFW you better look at PF.

More information about PF, as mentioned in the handbook:
    http://www.openbsd.org/faq/pf/index.html

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart1533716.SFRBSFcDeq
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQBBuyYMXyyEoT62BG0RAl7wAJ9emOCmg5BqJCWZMz6lmyYdIxuM1ACeNgQI
DQOe4caMsxsHeTfoKcr+264=
=3FA0
-----END PGP SIGNATURE-----

--nextPart1533716.SFRBSFcDeq--


Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412111753.32974.max>