Date: Wed, 21 Nov 2001 19:25:12 +0200 From: "Dave Raven" <dave@raven.za.net> To: <freebsd-security@FreeBSD.org> Subject: Re: Best security topology for FreeBSD Message-ID: <005f01c172b1$7a8503c0$3600a8c0@DAVE> References: <20011121181929.A15275@heresy.dreamflow.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
ipfw runs in the kernel, but NAT runs in userland. With IPFilter this is not so, IPNat runs in the kernel and should be faster. If you are planning on large usage I would recommend IPFilter (less load) and IPNat. but then, dont quote me. --Dave Optec Sec. ----- Original Message ----- From: "Bart Matthaei" <bart@dreamflow.nl> To: <freebsd-security@rikrose.net> Cc: <security@freebsd.org> Sent: Wednesday, November 21, 2001 7:19 PM Subject: Re: Best security topology for FreeBSD > On Wed, Nov 21, 2001 at 05:01:15PM +0000, freebsd-security@rikrose.net > wrote: > > Basically, ipfw doesn't give as much control over the packets and > > filtering as ipfilter, so use both. > > Care to explain why ? I think ipfw/ipf handle packets just as well.. > The only thing i recall is a story about ipfw sending packets trough > userland (?!). But thats just a vague story i've read somewhere. > > I dont see why ipfw can't do what he needs. Ipfw works pretty well > with NAT, and it's good with traffic shaping. And I personally haven't > had any troubles with ipfw filtering. > > Regards, > > B. > > -- > Bart Matthaei bart@dreamflow.nl > > /* Welcome to my world.. You just live in it */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005f01c172b1$7a8503c0$3600a8c0>