Date: Fri, 12 Oct 2001 12:27:33 -0400 (EDT) From: Kenneth Wayne Culver <culverk@wam.umd.edu> To: "Maine LOA List Admin (Brent Bailey)" <brentb@loa.com> Cc: "Hartmann, O." <ohartman@klima.physik.uni-mainz.de>, freebsd-stable@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: IPFW or IPFILTER? Message-ID: <Pine.GSO.4.21.0110121221030.27531-100000@sun10pg2.wam.umd.edu> In-Reply-To: <004901c15338$ed9c4500$24b4a8c0@pretorian>
next in thread | previous in thread | raw e-mail | index | archive | help
> Everything ive read on FBSD site...as well from experiance is that IPFW is > more versitile...you can do more with it > including traffic shaping .. "pipe & queue" & dummynet...as well as plain > out better firewall than IPFILTER. again this is mostly > opinion as far as speed IPFW is a hair slower than IPFILTER. ..but im sure > you wouldnt even notice the differrence.. > I run 2 FBSD gateways machines running IPFW w/ NATD ...each gateway is > supporting 100+ users and workstations > each....and never had any issues with setting up for speed or > stability...both FBSD machine have uptimes in excess of 200 days. > plus the fact theres tons of "howto's " for IPFW and NAT. > Truthfully, A lot more people are starting to prefer ipfilter for nat solutions though, I have found that ipfilter is really easy to configure and get working in an acceptable manner. I've heard that if you want to traffic shaping but still want to use ipfilter this is possible by just setting the ipfw to be open by default, and use ipfilter to do the actual filtering; while using dummynet for traffic shaping. I'm not sure how this effects performance though. For NAT I would think that ipfilter is faster because for natd, every packet must be copied out of the kernel, to natd, then back into the kernel. I have actually run into problems with this with as few as 5 people (using Quake III on their computers connecting to a single Quake III server, natd handled 3 people, but when the 4th person connected, the ping skyrocketed, and we started having packetloss) but with ipfilter, the problems disappeared. This of course was on a 200MHz pentium pro, but it worked fine with ipfilter. Ken > B > ----- Original Message ----- > From: "Hartmann, O." <ohartman@klima.physik.uni-mainz.de> > To: <freebsd-stable@freebsd.org> > Cc: <freebsd-questions@freebsd.org> > Sent: Friday, October 12, 2001 9:46 AM > Subject: IPFW or IPFILTER? > > > > Hello. > > > > Please do not understand this question as a question of what I believ in, > > it is simply a question of what to use for best performance. > > > > FreeBSD uses two filtering systems, ipfw and ipfilter and each of these > > both systems has its own adavantages and disadvantages. ipfilter seems to > > be more sophisticated in how to write rules. > > At the moment, we use ipfw around here due to the easy rule syntax. But > > that is not that what should be the main argument. I want to ask for the > > performance, mean the throughput/bandwith. Does anyone know something > > about the bandwith of both filters? What are the pro and contras? > > > > Thanks, > > Oliver > > > > -- > > MfG > > O. Hartmann > > > > ohartman@klima.physik.uni-mainz.de > > ---------------------------------------------------------------- > > IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) > > ---------------------------------------------------------------- > > Johannes Gutenberg Universitaet Mainz > > Becherweg 21 > > 55099 Mainz > > > > Tel: +496131/3924662 (Maschinenraum) > > Tel: +496131/3924144 > > FAX: +496131/3923532 > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-stable" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.21.0110121221030.27531-100000>