Date: Tue, 24 Apr 2001 19:03:26 +0000 From: Gunther Schadow <gunther@aurora.regenstrief.org> To: Luigi Rizzo <luigi@info.iet.unipi.it>, freebsd-small@freebsd.org Subject: ipfw vs. ipf (was: Re: PicoBSD's kernel, /dev/kmem, and the kernfs Message-ID: <3AE5CDFE.9900D18B@aurora.regenstrief.org> References: <200104241825.UAA32171@info.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > for once i should say: > > try ipfw, it does most of the things ipfilter does (except for > in-kernel nat) and something more (dummynet and fair queueing) Yes, I actually started with ipfw but I now migrate to ipf. I find ipfw and the DIVERT socket quite elegant, but still, I migrate. The reasons I migrate to ipf (and the reason you might want to think about this too) are: - ipf is accross all *BSD's - ipf is more likely to play well with IPsec - ipf is (arguably) more secure These points are actually dependent. The maintenance of ipf sounds pretty strong to me, so I'd trust it more. I am generally worried about too much splintering between the *BSDs, and I prefer what leaves me compatible. For PicoBSD issues there is a great benefit of staying somewhat compatible to NetBSD, namely NetBSD's support of other machine architectures. StrongARM or MIPS bases systems are often smaller and cheaper. The IPsec/ipf* integration is a concern of everyone who builds a VPN-gateway and firewall. The KAME people lean towards better IPsec SPD integration with ipf, because ipf is a platform used accross all *BSDs. Finally, for dummynet and fair queuing I prefer using ALTQ, for similar reasons. After I have survived the pain of saying goodbye to ipfw, I wonder why FreeBSD tries to make its own thing with ipfw instead of just riding the wave of ipf. regards -Gunther -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-small" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AE5CDFE.9900D18B>