From owner-freebsd-questions Mon Jan 17 14:28:10 2000 Delivered-To: freebsd-questions@freebsd.org Received: from horst.bfd.com (horst.bfd.com [12.9.219.10]) by hub.freebsd.org (Postfix) with ESMTP id 5D06514F26 for ; Mon, 17 Jan 2000 14:28:05 -0800 (PST) (envelope-from ejs@bfd.com) Received: from HARLIE.bfd.com (bastion.bfd.com [12.9.219.14]) by horst.bfd.com (8.9.3/8.9.3) with ESMTP id OAA51675; Mon, 17 Jan 2000 14:27:42 -0800 (PST) (envelope-from ejs@bfd.com) Date: Mon, 17 Jan 2000 14:27:42 -0800 (PST) From: "Eric J. Schwertfeger" To: keramida@ceid.upatras.gr Cc: Brian Anderson , freebsd-questions@FreeBSD.ORG Subject: Re: ipf/ipnat vs. ipfw/natd In-Reply-To: <20000117235429.A4455@hades.hell.gr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 17 Jan 2000, Giorgos Keramidas wrote: > It seems to me that ipf is more flexible than ipfw, but this might be > my own personal (and admittedly humble) opinion. The best thing to do > is try them both and see what you come up with, which one suits you > better. Since I was playing with ipfw a few months ago, you might find > the two articles in my home page listed below of some use when trying > it out :) (just my opinion, I don't consider it an expert one) I generally found ipfw easier to use, but ipf more flexible (because of keep state), except in one case, which was enough to kill ipfs use for me. One of the things I prefer about ipfw is that it terminates at first matching accept/deny rule, whereas ipf evaluates all rules (until it matches something with quick set), and uses the last match. Logically, any set of rules that can be done last match can also be done first match, and I prefer the efficiency of first match, and typing quick on every line annoys me. Consider 3 zones, Internet, DMZ, and SemiSecure. SemiSecure is an RFC-reserved network, DMZ is the class C assigned to us by our ISP, and Internet is the internet at large. SemiSecure must use NAT to get to Internet. With ipf, this locks SemiSecure into using NAT at all times, except for specific pinhole exceptions, which causes two problems. First, we'd like to be able to log IP addresses, including SemiSecure addresses, on machines within the DMZ. Since NAT is always on, we wind up logging IP addresses of the inner firewall (the outer one can only do packet filtering, otherwise I'd do it there). Second, we have a port range that is reserved on many (over 40) machines in SemiSecure, that various machines in the DMZ need to be able to connect to. The pinhole exceptions that I've found for ipf are pretty much one address/port to one address/port, which would increase maint. time unacceptably. On the other hand, ipf's ability to keep state is nice. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message