Date: Mon, 9 Oct 2000 11:01:19 -0400 (EDT) From: dkrapf@UU.NET (Donald E. Krapf) To: freebsd-stable@freebsd.org Subject: Re: ipf vs. ipfw ? Message-ID: <QQjkee10754.200010091501@npiserve0.corp.us.uu.net> In-Reply-To: <20001008025913.A29388@intelenet.net> from "matthew zeier" at Oct 08, 2000 02:59:13 AM
next in thread | previous in thread | raw e-mail | index | archive | help
matthew zeier writes: > Can anyone tell me the differences between ipf and ipfw ? Which is > "better" ? I've used both ipfilter and ipfw and found them both to be usable. I'm currently using ipfilter on both FreeBSD and Solaris 2.6. Ipfilter rule groups are a good idea but could be better. I don't remember if ipfw has something similar. The NAT facility (ipnat) of ipfilter is practically undocumented for all but the most common configurations. As far as I can tell, some of the features (e.g. some in-kernel proxies) actually are undocumented. If you just want to do something simple, such as map a home network behind a gateway to your ISP, you can copy one of the trivial examples. I've never used ipfw's NAT facility (natd) and don't know anything about its rules. For heavy NAT traffic, I prefer ipnat because it's in-kernel whereas natd is a user-space daemon. Most any modest unix box can route IP practically in its sleep. Ipnat adds an insignificant additional load since it just twiddles a few bits in the packet as it goes by on the stack. If I understand natd's implementation correctly, it pushes each packet out through a pseudo device where it is read, and then rewritten, by natd. That requires 2 context switches per packet, not to mention the copying and recopying of the packet data. Similarly, ipfilter does its filtering in the kernel. I don't remember if ipfw does its filtering in the kernel or if it uses a user-space daemon like it does for NAT. I'd like to hear other opinions on this subject. Don -- Don Krapf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?QQjkee10754.200010091501>