From owner-freebsd-questions  Mon Jan 17 14:10:47 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from mx2.x-treme.gr (mx2.x-treme.gr [212.120.192.15])
	by hub.freebsd.org (Postfix) with ESMTP id 049C41502C
	for <freebsd-questions@FreeBSD.ORG>; Mon, 17 Jan 2000 14:10:40 -0800 (PST)
	(envelope-from keramida@diogenis.ceid.upatras.gr)
Received: from hades.hell.gr (pat32.x-treme.gr [212.120.197.224])
	by mx2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with ESMTP id AAA08393;
	Tue, 18 Jan 2000 00:10:26 +0200
Received: (from charon@localhost)
	by hades.hell.gr (8.9.3/8.9.3) id XAA04606;
	Mon, 17 Jan 2000 23:54:30 +0200 (EET)
	(envelope-from keramida@diogenis.ceid.upatras.gr)
Date: Mon, 17 Jan 2000 23:54:29 +0200
From: Giorgos Keramidas <charon@hades.hell.gr>
To: Brian Anderson <bunicula@rcn.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: ipf/ipnat vs. ipfw/natd
Message-ID: <20000117235429.A4455@hades.hell.gr>
Reply-To: keramida@ceid.upatras.gr
References: <Pine.BSF.4.21.0001171517030.2666-100000@asmodeus.diabolis.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre3i
In-Reply-To: <Pine.BSF.4.21.0001171517030.2666-100000@asmodeus.diabolis.net>
X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06  D6 21 2A C8 8C 16 C0 8E
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, Jan 17, 2000 at 03:19:06PM -0500, Brian Anderson wrote:
> 
> so, the latest step in my freebsd education is firewalling. from what
> i can see, there are 2 told that seem heavily used: ipf with ipnat,
> and ipfw with natd.
>
> is there any place i can find a comparison of the two: pros and cons,
> and all that happy stuff?

None that I know of.

> it looks like ipfw is the default, but ipf is easier to find
> documentation on...

Yup, ipfw is the default, but ipf works like a charm too, once you get
the kernel to compile with the proper options.

One thing that I really like in ipf is that rules can be split in
groups, depending on criteria of your own, i.e.

	block in  on lo0  head 10
	block out on lo0  head 20
	block in  on tun0 head 30
	block out on tun0 head 40

will use ruleset 10 for incoming lo0 traffic, ruleset 20 for outgoing
lo0 traffic, etc.  But, someone might prefer:

	block in                  head 10
	block in quick proto tcp  head 20
	block in quick proto udp  head 30
	block in quick proto icmp head 40

and use ruleset 10 for filtering all protocols, 20 for filtering tcp,
etc. you get my point.

It seems to me that ipf is more flexible than ipfw, but this might be
my own personal (and admittedly humble) opinion.  The best thing to do
is try them both and see what you come up with, which one suits you
better.  Since I was playing with ipfw a few months ago, you might find
the two articles in my home page listed below of some use when trying
it out :)

[1] Annotated sample ipfw(8) configuration.
    http://students.ceid.upatras.gr/~keramida/freebsd/ipfw.html

[2] A closed-firewall with ipfw(8)
    http://students.ceid.upatras.gr/~keramida/freebsd/ipfw-closed.html

Ciao.

-- 
Giorgos Keramidas, < keramida @ ceid . upatras . gr >
"What we have to learn to do, we learn by doing." [Aristotle]


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message