Date: Fri, 18 Aug 2000 11:04:58 -0700 (PDT) From: "Eric J. Schwertfeger" <ejs@bfd.com> To: Shawn Barnhart <swb@grasslake.net> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: ipfilter v. ipfw Message-ID: <Pine.BSF.4.21.0008181054250.90214-100000@harlie.bfd.com> In-Reply-To: <000f01c00939$0dd7b480$b8209fc0@marlowe>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Aug 2000, Shawn Barnhart wrote: > | Hmmm. I do indeed have both "ipfilter" and "ipfw" support enabled in > | my kernel. However, I am currently using only "ipfw" firewall rules > | (in /etc/rc.firewall). I've been considering the idea of switching > | over to the new "ipfilter" facility, but I haven't had time yet. > > Is ipfilter newer/better/smarter/faster/etc than ipfw? I've always been > under the assumption that ipfw was the "built-in" packet filtering code > and ipfilter was a kind of add-on filtering that wasn't as built-in. I've got firewalls in place with each kind. Personally, I find ipfw more flexible, especially now that it can track states. ipfw works on a first match engine, ipfilter works on a last match engine (I don't know why, it just means more work for the engine), though you can include an option to each rule to make it act first match. ipfilter has in-kernel NAT, whereas ipfw uses natd in userspace, so there might be a performance benefit there, but ipfilter also doesn't have any way to say "machine A nats to everything but net B" which really tripped me up on one of our DMZ firewalls. We're going to be replacing ipfilter with ipfw on that machine when we upgrade it to 4.1, for that reason. I don't think ipfilter supports anything like divert sockets, for that matter. Not a major issue, since the most common use for divert sockets is natd, and ipfilter provides similar functionality. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008181054250.90214-100000>