Date: Wed, 26 Dec 2001 16:24:45 -0500 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "FBSD Questions" <questions@FreeBSD.ORG> Subject: ipf/IPFilter/ipnat vers ipfw/IPFW/nat Message-ID: <LPBBIGIAAKKEOEJOLEGOAEHFCKAA.barbish@a1poweruser.com>
next in thread | raw e-mail | index | archive | help
I scanned the questions archives and sniped this info. I would like to know if the views stated are correct. Any other insight or background info would be great. Does the ipf port install as userland or kernel & how to force kernel? Is there a package install for ipf or ipnat? Where would I find the ipf and ipnat ports? Where can I find info on ipnat? What is the difference between nat and ipnat if both run in user land? Does IPFilter have a built in nat function? SNIPITS ABOUT ipf/IPFilter/ipnat ipf being the real time interactive control interface to Darren Reed's IPFilter package. ipf has to be compiled from ports. ipf runs as-is in userspace, and can be compiled into the kernel. ipf is available on OpenBSD, NetBSD, Linux as well as FreeBSD, so familiarity with it enables a bit of portability that ipfw doesn't give you. ipf has the ability to keep two rule sets loaded, and allows you to easily switch between them. This is especially useful when changing or interactively debugging rule sets on an active connection. IPFilter is a fire walling package from Darren Reed. it runs entirely in the kernel. It comes distributed with the FreeBSD kernel source code in /sys/contrib/ipfilter/netinet/. One of the real advantages of IPFilter is that it does everything in kernel space, including NAT, so it's faster. The IPFilter rule set syntax is different than IPFW. IPFilter rules are last rule to match gets control, where IPFW it's the first rule to match gets control. IPFILTER is part of the GENERIC kernel, so no rebuild is required. You just have to enable it in the rc.conf file. I just switched from ipfw to ipfilter, and I found ipfilter easier to set up. Using the ipfilter/ipnat combination I was able to implement filters I never managed to get working under ipfw..... I use ipfilter/ipnat and like the way you can flush/edit the kernel filter list and the possibility to create nice config files for it. As I see it ipfilter is better handling large configurations. It also uses a technique which processes the whole rule set which might be a bit confusing when you first start using it. I used ipfw & natd for a while but since these copy packets from kernel to userland, and ipfilter/ipnat don't, ipfilter gives _way_ more performance on a busy network. For home use I shouldn't care if I where you; if ipfw suits you and does 'your thing' use it. :) SNIPITS ABOUT ipfw/IPFW/NAT Is it true about capital letters and lower case letters for ipfw meaning two different functions? Is it true that IPFW runs in kernel land and all traffic has to be handled twice If NAT is used? Where does one find the open and standard ipfw rules file? Are there any sample rules files with comments to copy from? IPFW is the FreeBSD *native* firewall. IPFW is part of the core FreeBSD OS. IPFW are capital letters and references the native functions of FBSD. ipfw lower case letters reference the interface to the IPFW FBSD native firewall. No fire walling is going to run very efficiently in "user space", passing packets out of the kernel for processing which is what natd does, under ipfw. Keep in mind though that it will only filter IP packets. All others will be passed unless you hack around that in the kernel. The man pages are wrong on this point. How can I get ipfw log file with writing size of the transmitted packets? Is it possible at all? Not with ipfw(8) logging as it exists in the base system. the ipfw -f flush and other rules you list are only run if your rc.firewall is run before you firewall.conf (or ipfw.rules). for instance, in rc.conf: firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="/etc/firewall.conf" if you skip the call to rc.firewall, then you'll want to add the explicit calls into ipfw.rules or firewall.conf. I had natd running for a while but that caused a 100% cpu load when there was much traffic, now with ipnat it never gets higher then 20% To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOAEHFCKAA.barbish>