From owner-freebsd-security Thu Jul 27 0:50:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from fork.computel.sk (fork.computel.sk [195.28.96.96]) by hub.freebsd.org (Postfix) with ESMTP id CA63037BA8F for ; Thu, 27 Jul 2000 00:50:12 -0700 (PDT) (envelope-from pavol_adamec@tempest.sk) Received: from tempest.sk (t74.tempest.sk [195.28.100.74]) by fork.computel.sk with ESMTP id JAA00702 for ; Thu, 27 Jul 2000 09:50:05 +0200 Message-ID: <397FE9A4.1C1B9215@tempest.sk> Date: Thu, 27 Jul 2000 09:49:56 +0200 From: Pavol Adamec Organization: Tempest X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Siobhan Patricia Lynch wrote: > ipfilter has to be flushed and reloaded, I don;t have that luxury > > ipfw I can add rules on the fly. > Sorry, but ipf can add rules on the fly too. As for ipf and ipfw - their capabilities are almost equal. The are differencies - ipnat is done within the kernel space, natd is running in user space. Running in user space in this case means that the translation slower. BUT you can control where you want your translation done - before, in-the-middle-of or at the end of the filtering rules. There's no such choice with ipnat. And more, and more such details. Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message