From owner-freebsd-questions@FreeBSD.ORG  Fri Jan  9 13:34:42 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A5B8A16A4CE
	for <freebsd-questions@FreeBSD.org>;
	Fri,  9 Jan 2004 13:34:42 -0800 (PST)
Received: from artax.karlin.mff.cuni.cz (artax.karlin.mff.cuni.cz
	[195.113.31.125])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8873A43D41
	for <freebsd-questions@FreeBSD.org>;
	Fri,  9 Jan 2004 13:34:41 -0800 (PST)
	(envelope-from jsta6559@artax.karlin.mff.cuni.cz)
Received: by artax.karlin.mff.cuni.cz (Postfix, from userid 16559)
	id AABDE3F1E; Fri,  9 Jan 2004 22:34:39 +0100 (CET)
Date: Fri, 9 Jan 2004 22:34:39 +0100
From: Jan Stary <jsta6559@artax.karlin.mff.cuni.cz>
To: freebsd-questions@FreeBSD.org
Message-ID: <20040109213439.GA11626@artax.karlin.mff.cuni.cz>
Mail-Followup-To: freebsd-questions@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.4i
Subject: ipf or ipfw?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jan 2004 21:34:42 -0000


Hello,

I am deciding whether to use ipf or ipfw. I have had a brief look
at them and I like them both. I am quite a newbie in this.

Is any one of them particularly better for the following
situation? One standalone server, hosted by an ISP; only want to
protect myself (explicitly allow the services I provide); no need
for traffic shaping; want to do some traffic statistics, though.

If you would use _one_ of them rather than the other for such a
task, please tell me why (I mean, point me to the docs saying
why).


Also, I am a bit confused by the kernel config for this: the
names of the IPFILTER* and IPFIREWALL* make me think I need
IPFILTER* to be able to run ipf, and IPFIREWALL* to run ipfw.
But the kernel functionality needed to run them is probably very
much the same, so what am I missing? Didn't find this in the
Handbook. Which of these should I enable to run ipf(w)?
Point me to the docs, please.

device		bpf		# Berkeley packet filter
options 	IPSEC			#IP security
options 	IPSEC_ESP		#IP security (crypto; define w/ IPSEC)
options 	IPSEC_DEBUG		#debug for IP security
options 	MROUTING		# Multicast routing
options 	IPFIREWALL		#firewall
options 	IPFIREWALL_FORWARD	#enable transparent proxy support
#options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
options 	IPDIVERT		#divert sockets
options 	IPFILTER		#ipfilter support
options 	IPFILTER_LOG		#ipfilter logging
options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
options 	IPSTEALTH		#support for stealth forwarding


	Thank you

		Jan