From owner-freebsd-stable Mon Oct 9 8: 2:33 2000 Delivered-To: freebsd-stable@freebsd.org Received: from cmr1.ash.ops.us.uu.net (cmr1.ash.ops.us.uu.net [198.5.241.39]) by hub.freebsd.org (Postfix) with ESMTP id 3121237B502 for ; Mon, 9 Oct 2000 08:02:29 -0700 (PDT) Received: from npiserve0.corp.us.uu.net by cmr1.ash.ops.us.uu.net with ESMTP (peer crosschecked as: npiserve0.corp.us.uu.net [153.39.88.22]) id QQjkee04626 for ; Mon, 9 Oct 2000 15:02:25 GMT Received: by npiserve0.corp.us.uu.net id QQjkee10754 for freebsd-stable@freebsd.org; Mon, 9 Oct 2000 11:01:20 -0400 (EDT) From: dkrapf@UU.NET (Donald E. Krapf) Message-Id: Subject: Re: ipf vs. ipfw ? To: freebsd-stable@freebsd.org Date: Mon, 9 Oct 2000 11:01:19 -0400 (EDT) In-Reply-To: <20001008025913.A29388@intelenet.net> from "matthew zeier" at Oct 08, 2000 02:59:13 AM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG matthew zeier writes: > Can anyone tell me the differences between ipf and ipfw ? Which is > "better" ? I've used both ipfilter and ipfw and found them both to be usable. I'm currently using ipfilter on both FreeBSD and Solaris 2.6. Ipfilter rule groups are a good idea but could be better. I don't remember if ipfw has something similar. The NAT facility (ipnat) of ipfilter is practically undocumented for all but the most common configurations. As far as I can tell, some of the features (e.g. some in-kernel proxies) actually are undocumented. If you just want to do something simple, such as map a home network behind a gateway to your ISP, you can copy one of the trivial examples. I've never used ipfw's NAT facility (natd) and don't know anything about its rules. For heavy NAT traffic, I prefer ipnat because it's in-kernel whereas natd is a user-space daemon. Most any modest unix box can route IP practically in its sleep. Ipnat adds an insignificant additional load since it just twiddles a few bits in the packet as it goes by on the stack. If I understand natd's implementation correctly, it pushes each packet out through a pseudo device where it is read, and then rewritten, by natd. That requires 2 context switches per packet, not to mention the copying and recopying of the packet data. Similarly, ipfilter does its filtering in the kernel. I don't remember if ipfw does its filtering in the kernel or if it uses a user-space daemon like it does for NAT. I'd like to hear other opinions on this subject. Don -- Don Krapf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message