From owner-freebsd-questions Mon Feb 21 0:53:53 2000 Delivered-To: freebsd-questions@freebsd.org Received: from vail.net (vail.net [199.45.148.10]) by hub.freebsd.org (Postfix) with ESMTP id 4C8B937BEE6 for ; Mon, 21 Feb 2000 00:53:48 -0800 (PST) (envelope-from ivanfetch@technologist.com) Received: from gatekeeper.cfcc.com (cfcc.com [204.144.216.251]) by vail.net (8.9.3/8.9.3) with ESMTP id BAA22029; Mon, 21 Feb 2000 01:49:18 -0700 (MST) Received: from ibis.ivanfetch.tzo.com (168.191.167.118 [168.191.167.118]) by gatekeeper.cfcc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1960.3) id FB03WKD9; Mon, 21 Feb 2000 01:58:33 -0700 Date: Mon, 21 Feb 2000 01:52:30 -0700 (MST) From: Ivan Fetch X-Sender: ifetch@ibis.ivanfetch.tzo.com To: freebsd-questions@freebsd.org Cc: "James A. Mutter" Subject: ipf (packet filter) vs. ipfw In-Reply-To: <38B055AB.30F80438@ds.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, The recent mentioning of the ipf howto on this list has reminded me to ask this: Managing firewall rules with ipf instead of ipfw seems to have some advantages, notably the "keep state" functionality - ipf keeps more track of established connections on it's own, where as ipfw only seems to be able to tell "is it a syn packet or not". I was wondering what the fire wall enthusiasts on this list thought about ipf vs. ipfw. Some other questions I have (which hopefully some here can assist with) are: 1. Does anyone know which version of ipf ships with FreeBSD 3.4-release? There seems to be no way to tell which version you have (i.e. -v or -V switch). Some of the functionality mentioned in the how-to seems to be missing - specifically the ability to specify that ipf should automatically log to syslog with a specific level (log level auth.info ...), as well as specifying rules like (map 192.168.1.0/24 -> whatever...) for NAT. 2. If I keep some ipfw based rules, and use ipf rules as well, the ipfw rules seem to take affect first, then the packet is passed onto ipf based rules. IS this statement at all accurate. As I could not get NAT to work with ipf, I kept the rule which diverted trafic to the natd daemon (created by ipfw), and created all other fire wall rules with ipf. This seems to work fine . Thank you for any points-of-view, Ivan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message