From owner-freebsd-questions Tue Dec 11 21:53:35 2001 Delivered-To: freebsd-questions@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id 6CA0737B41D for ; Tue, 11 Dec 2001 21:53:26 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id fBC5rIE62627; Tue, 11 Dec 2001 21:53:18 -0800 (PST) (envelope-from jan@caustic.org) Date: Tue, 11 Dec 2001 21:53:18 -0800 (PST) From: "f.johan.beisser" X-X-Sender: To: Rob B Cc: Donnie Jones , Subject: Re: IPF, IPFILTER, IPFW ? What's the difference? In-Reply-To: <5.1.0.14.2.20011212155823.01e40590@pop.ozemail.com.au> Message-ID: <20011211213807.H16958-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 12 Dec 2001, Rob B wrote: > >I think I understand that IPF and IPFILTER are the > >same thing, right? > > No, but similar. uh. how are they different? just curious, since i'm fairly sure they're exactly the same thing. ipf being the control interface to darren reed's IPFilter package. i'm not sure you and i are thinking of the same IPFilter/ipf. > >And, IPF and IPFW are both programs that can be used > >for firewall set up on FreeBSD. > > Yup > > >So, I ask you, what is the difference? Is one a > >replacement for the other? or what? > > Sort of ... IPFW is part of the core FreeBSD OS, IPF has to be compiled > from ports. IPF runs as-is in userspace, and can be compiled into the > kernel, whereas IPFW runs in the kernel only uh.. what? IPFilter is a firewalling package from darren reed. it runs in kernel, and entirely in the kernel. you can update it separately, if you want to, but it comes distributed with the FreeBSD kernel source code (you can check for it in /sys/contrib/ipfilter/netinet/). it can be built as a loadable kernel module from the IPFilter package (downloaded from IPFilter's home page), or statically compiled in to the kernel source code with a little work. no firewalling is going to run very efficiantly in "user space", passing packets out of the kernel for processing (which is what natd does, under ipfw) slows things down. one of the real advantages of IPFilter is that it does everything in kernel space, including NAT. IPFW is the FreeBSD *native* firewall. the programs (called ipfw and ipf, respectively) are mearly control interfaces for the two kinds of firewalls. > >Also, and good docs you can point me to would be > >wonderful. > > http://www.obfuscation.org/ipf/ - home of lotsa docs on IPF, and the > FreeBSD handbook for IPFW info. there is also some stuff on IPFW at > www.onlamp.com (part of O'Reilly's pages) the handbook has very good information on ipfw, and firewalling in general. there are many good articles on BSD firewalling, just search for them off of google. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message