From owner-freebsd-stable Fri Aug 18 11:13: 6 2000 Delivered-To: freebsd-stable@freebsd.org Received: from moek.pir.net (moek.pir.net [209.192.237.190]) by hub.freebsd.org (Postfix) with ESMTP id 7043937B424 for ; Fri, 18 Aug 2000 11:13:04 -0700 (PDT) Received: from pir by moek.pir.net with local (Exim) id 13PqdV-0000ii-00 for freebsd-stable@FreeBSD.ORG; Fri, 18 Aug 2000 14:12:57 -0400 Date: Fri, 18 Aug 2000 14:12:56 -0400 From: Peter Radcliffe To: freebsd-stable@FreeBSD.ORG Subject: Re: ipfilter v. ipfw Message-ID: <20000818141256.A29131@pir.net> Reply-To: freebsd-stable@freebsd.org Mail-Followup-To: freebsd-stable@FreeBSD.ORG References: <000f01c00939$0dd7b480$b8209fc0@marlowe> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from ejs@bfd.com on Fri, Aug 18, 2000 at 11:04:58AM -0700 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Eric J. Schwertfeger" probably said: > I've got firewalls in place with each kind. Personally, I find ipfw more > flexible, especially now that it can track states. ipfw works on a first > match engine, ipfilter works on a last match engine (I don't know why, it > just means more work for the engine), though you can include an option to > each rule to make it act first match. I found ipfw far too limiting, state tracking or otherwise. I do use keep state in ipfilter quite happily. It also has a side advantage of being platform independant - I can use the same rule files on my FreeBSD boxes and my Solaris boxes. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message