Date: Wed, 07 Mar 2001 18:28:48 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Christopher Schulte <christopher@schulte.org> Cc: Fernando Schapachnik <fschapachnik@vianetworks.com.ar>, Nathan Dorfman <nathan@rtfm.net>, freebsd-security@FreeBSD.ORG Subject: Re: ipfw or ipf? Message-ID: <200103080229.f282T8E27412@cwsys.cwsent.com> In-Reply-To: Your message of "Wed, 07 Mar 2001 18:29:10 CST." <5.0.2.1.0.20010307181400.0336ed18@pop.schulte.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <5.0.2.1.0.20010307181400.0336ed18@pop.schulte.org>, Christopher Sch ulte writes: > At 09:11 PM 3/7/2001 -0300, Fernando Schapachnik wrote: > >On the other hand ipfw can do traffic shaping. On FreeBSD you can > >build an "invisible" firewall with ipfw doing bridging. > > ipfw + dummynet + bridging is exactly what I use for my firewall. It's > fast, stable, easy to manage, powerful and I'd recommend it to anyone > wanting to secure a small network using FreeBSD and 2 NICs. > > Ipfw does has the ability to keep a tcp states. I can't speak for NAT or > portability. I have used ipf on at least OpenBSD and Solaris. It probably > can be compiled on many more. > > ipfw is beautiful - two nics just hop into promisc mode. One connects to > the 'internal' network, the other to possibly a router or public > switch. Then using the firewall/shaping rules defined with ipfw traffic is > transparently passed (or dropped/rejected) from the external network to > machines on the inside via software bridging. > > Not to mention, you can do sophisticated traffic limiting at the same time. On the flip side IP Filter gives FTP, RCMD, and Real Audio proxies. The last two are inconsequential, unless you firewall your workstation, like I do at work, and perform Kerberos rsh (krsh) to systems you manage. The FTP proxy allows you to support PORT (active) FTP through your firewall. Not all FTP clients support passive FTP. Not all users are smart enough to remember to use passive FTP. Its been reported that the state engine in IP Filter is more mature and more restrictive because of the checks it does for TCP packets being within the TCP window. I'm not sure whether IPFW does the same. I have built firewalls based on IP Filter for filtering and NAT, specifically using IPF's FTP proxy, while using IPFW's dummynet. Both IPFW and IPF are excellent firewalls. The beauty of FreeBSD, unlike the other operating systems, is that you get BOTH. Two different tools in your toolbox for two slightly different jobs. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103080229.f282T8E27412>