Date: Sun, 25 Feb 2001 12:32:35 +0000 From: Duraid <latif2221@home.com> To: Roelof Osinga <roelof@eboa.com>, "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG> Subject: Re: netfilter in freebsd Message-ID: <3A98FB62.C9F8DE38@home.com> References: <3A977CB1.7EF85F24@home.com> <20010224144734.A23735@daemon.kingsqueak.org> <3A982EE9.6BB6F1BE@eboa.com> <3A97EB10.BA8E0293@home.com> <3A9838E9.D96506BF@eboa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Not really.. after lot's of digging through.. there is a major difference between the two... ipfilter is a true statefull packet filter... that is it has a state table that can keep track of every packet that you send using the 'keep state' keyword. this way you can block anything that you didn't send. while ipfw has the 'established' option but it doesn't use state table (memory) but only decide upon seeing certain flags in the packet (ACT and maybe FIN) which anybody can fake and pierce your firewall. Duraid Roelof Osinga wrote: > Duraid wrote: > > > > which on is newer ipfilter or ipfw? which one is statefull like iptables? i > > might also say which one is better? > > Whichever you like best. Some - like I still - swear by ipfw, others > swear at ipfw. Seems that ipfilter has a nicer language. Try them > both, they're free <g>. > > Roelof > > -- > The New Nisse's Nisser @ http://nl.nisser.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A98FB62.C9F8DE38>