From owner-freebsd-questions  Fri Oct 12 12:26:49 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mmx01.gmu.edu (mmx01.gmu.edu [129.174.0.12])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7A36437B401; Fri, 12 Oct 2001 12:26:31 -0700 (PDT)
Received: from CERBERUS ([129.174.130.10]) by mmx01.gmu.edu
          (Netscape Messaging Server 4.15) with ESMTP id GL3Y0500.JGD;
          Fri, 12 Oct 2001 15:26:29 -0400 
Reply-To: <sbernard@gmu.edu>
From: "Steve Bernard" <sbernard@gmu.edu>
To: "FreeBSD" <freebsd@XtremeDev.com>
Cc: <freebsd-stable@FreeBSD.ORG>, <freebsd-questions@FreeBSD.ORG>
Subject: RE: IPFW or IPFILTER?
Date: Fri, 12 Oct 2001 15:26:38 -0400
Message-ID: <FJEELAGFCPJHAAMJKAKCAEKCCAAA.sbernard@gmu.edu>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-reply-to: <20011012121617.J96182-100000@Amber.XtremeDev.com>
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Importance: Normal
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

OpenBSD does support bridging and more specifically it supports bridging
firewalls.

From the bridge(4) man page:

"The bridge device creates a logical link between two or more Ethernet
interfaces or encapsulation interfaces. This link between the interfaces
selectively forwards frames from each interface on the bridge to every other
interface on the bridge.  A bridge can serve several services, including,
isolation of traffic between sets of machines so that traffic local to one
set of machines is not available on the wire of another set of machines, and
it can act as a transparent filter for ip(4) datagrams."

Bridges use the 'bridge' pseudo-device and are configured using brconfig(8)

Regards,

Steve

-----Original Message-----
From: owner-freebsd-stable@FreeBSD.ORG
[mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of FreeBSD
Sent: Friday, October 12, 2001 2:30 PM
To: Maine LOA List Admin (Brent Bailey)
Cc: Hartmann, O.; freebsd-stable@FreeBSD.ORG;
freebsd-questions@FreeBSD.ORG
Subject: Re: IPFW or IPFILTER?


IPFW has dummynet. ipf author suggests using AltQ. ipf also supports
round-robin port forwarding to multiple servers (and a little app to check
for downed servers etc) in ipnat if you run a cluster, and can port
forward a range of ports without separate rules each (iirc). ipf has also
been around much longer than ipfw in terms of development time, and is a
more mature code (as evident by ipfw's past sec issues). I've found myself
able to do quite a bit with ipf/ipnat, bimap/map helps a great deal. ipf
also has the distinction of being on all the BSD's (used to be used
exclusevely by OpenBSD as it's only firewall) and even on early 2.0.x
Linux kernels, as well as on Solaris. So if you know ipf rule syntax, you
are quaranteed to be useful on a good many UNIX systems.

ipfw currently has bridging support in FreeBSD while ipf does not. This is
being worked on and should change fairly soon. ipfw has a tighter
integration with FreeBSD than ipf, which means also that it gets updated
more often, and less changes in FreeBSD break things with the firewall.

If you require ipfw/dummynet features but prefer or require ipf/ipnat only
features, you can always combine them. I currently use ipfw/dummynet for
bandwidth shaping and ipf as my primary filter processing. Just remember
that ipfw gets processed first on incoming packets, then ipf.

Performance is negligible unless you have hundreds or even tousands of
rules (which some do). Then the tree capabilities of ipf really shines,
not because it does the job it does, but because it makes really readable
rules. When I tried with ipfw's skipto, I was suddently reminded of the
goto statements in basic a long long time ago, and I had to cringe.


As a side note, OpenBSD is no longer including ipf in it's default
installs now, but is instead using pf, a new firewall being written. But
pf will use the same syntax rules as ipf, so you'd still be "guaranteed a
job" if you move OS's.


On Fri, 12 Oct 2001, Maine LOA List Admin (Brent Bailey) wrote:

> Everything ive read on FBSD site...as well from experiance is that IPFW is
> more versitile...you can do more with it
> including traffic shaping .. "pipe & queue" & dummynet...as well as plain
> out better firewall than IPFILTER. again this is mostly
> opinion  as far as speed IPFW is a hair slower than IPFILTER.  ..but im
sure
> you wouldnt even notice the differrence..
> I run 2 FBSD gateways machines  running IPFW w/ NATD  ...each gateway is
> supporting 100+  users and workstations
> each....and never had any issues with setting up for speed or
> stability...both FBSD machine have uptimes in excess of 200 days.
> plus the fact theres tons of "howto's " for IPFW and NAT.
>
> B
> ----- Original Message -----
> From: "Hartmann, O." <ohartman@klima.physik.uni-mainz.de>
> To: <freebsd-stable@freebsd.org>
> Cc: <freebsd-questions@freebsd.org>
> Sent: Friday, October 12, 2001 9:46 AM
> Subject: IPFW or IPFILTER?
>
>
> > Hello.
> >
> > Please do not understand this question as a question of what I believ
in,
> > it is simply a question of what to use for best performance.
> >
> > FreeBSD uses two filtering systems, ipfw and ipfilter and each of these
> > both systems has its own adavantages and disadvantages. ipfilter seems
to
> > be more sophisticated in how to write rules.
> > At the moment, we use ipfw around here due to the easy rule syntax. But
> > that is not that what should be the main argument. I want to ask for the
> > performance, mean the throughput/bandwith. Does anyone know something
> > about the bandwith of both filters? What are the pro and contras?
> >
> > Thanks,
> > Oliver
> >
> > --
> > MfG
> > O. Hartmann
> >
> > ohartman@klima.physik.uni-mainz.de
> > ----------------------------------------------------------------
> > IT-Administration des Institutes fuer Physik der Atmosphaere (IPA)
> > ----------------------------------------------------------------
> > Johannes Gutenberg Universitaet Mainz
> > Becherweg 21
> > 55099 Mainz
> >
> > Tel: +496131/3924662 (Maschinenraum)
> > Tel: +496131/3924144
> > FAX: +496131/3923532
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-stable" in the body of the message
> >
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message