Date: Wed, 20 Jul 2005 15:33:47 +0200 From: Max Laier <max@love2party.net> To: freebsd-ipfw@freebsd.org Cc: Roger Grosswiler <roger@gwch.net> Subject: Re: Most wanted packet filter Message-ID: <200507201533.53008.max@love2party.net> In-Reply-To: <42267.62.2.21.164.1121863057.squirrel@www.gwch.net> References: <42267.62.2.21.164.1121863057.squirrel@www.gwch.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Wednesday 20 July 2005 14:37, Roger Grosswiler wrote: > > Roger Grosswiler wrote: > >>Hi, > >> > >>i would like to know, which "firewall" is most wanted under freebsd. is > >> it > >>ipfw or is it ipf? > >> > >>i imagine, both have their advantages, but i would like to try first the > > most used because of support - poor rookie, i :-D > > > Don't forget about the third one, called pf. ;) > > It's a hard question. What does matter is which of them is best the *for > > You*. As for me I use ipf and ipfw together. I think ipf is very easy to > configure but ipfw has more sophisticated features, for instance it can > be used for bandwith controlling via dummynet facility. As for pf, I > don't know it. > > > Cheers, > > > > Gábor Kövesdán > > Thanks Gabor, > > I thought so. What i read, i should prefer ipf. What i also would like to > know, whether there someting, the freebsd-world calls "standard"? I mean, > the title of this list is freebsd-ipfw ;-) There is a list called freebsd-pf@ as well where you will find support for pf related questions. IMO you have to decide a couple of things: 1) Which syntax is the most natural for you? Choices: IPFW vs. IPF/PF 2) What do you want to achieve? Choices: Fast packet pushing with little sanity checks as usual on an ISP router vs. High level of sanity checks while giving up some performance. IPFW provides for the first, PF for the later. However, both can be configured to provide high performance and both can be configured to provide a high level of sanity checks - this reflects just what is the "natural" configuration for the system. PF can check some things that IPFW can't and IPFW can provide pps-rates that PF will not get close to, but that are edge cases you probably don't have to deal with. Why not IPF? 1) It seems to be broken in RELENG_5 as several people report on freebsd-stable@ There is an issue with SMP/PREEMPTION and no solution seems to be worked on. 2) It's undermaintained (IMO) 3) It doesn't provide any benefit over PF http://www.openbsd.org/faq/pf/index.html is a really good guide to get started with PF, btw. IMHO PF is the best firewall system available for protecting networks as the only firewall between clients and the internet. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC3lLAXyyEoT62BG0RAngpAJ9r7NOthbJ3GJPSb6rKUC4Whlps8wCeOi6K w9+uUNoOlLOLi7Zp3weyDUY= =Po19 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507201533.53008.max>