Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 29 Apr 2007 15:49:51 -0400
From:      Gary Corcoran <gcorcoran@rcn.com>
To:        Julian Elischer <julian@elischer.org>
Cc:        Peter Jeremy <peterjeremy@optushome.com.au>, freebsd-net@freebsd.org, Jack Barnett <jackbarnett@gmail.com>
Subject:   Re: Firewall
Message-ID:  <4634F6DF.40701@rcn.com>
In-Reply-To: <4634F0B0.5060007@elischer.org>
References:  <dedb607c0704280508nf2c071dh2f76967999f68696@mail.gmail.com>	<20070429112838.GH848@turion.vk2pj.dyndns.org> <4634F0B0.5060007@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Julian Elischer wrote:
> Peter Jeremy wrote:
>> On 2007-Apr-28 07:08:18 -0500, Jack Barnett <jackbarnett@gmail.com> 
>> wrote:
>>> I plan on using NAT so both internal networks can get to the internets.
>>>
>>> In the FreeBSD documentation I see there are 3 firewalls, IPFIREWALL,
>>> IPFILTER and PF (BF?).   I just need to do basic filtering and just a 
>>> few
>>> port forwards.  Nothing to fancy.  Which one would be recommended?
>>
>> Basically any of them will do what you want.  The major differences are:
>> - IPFW (IPFIREWALL) is FreeBSD only.  Note that the NAT is in userland.
> 
> though that is just fine for your average DSL link.. it is in kernel in 7.0

It is also just fine on a fast cable modem.  I ran for several years with
a low speed cable modem, around 1.5 - 2 Mbps, using nothing more than a
90MHz Pentium, with IPFW and NAT.

Gary

> 
>> - IPfilter is the most portable.
>> - PF runs on *BSD.  Note that (AFAIK) all proxies (eg FTP) are in 
>> userland.
>>
>> Userland NAT or proxies incur significantly higher overheads than
>> in-kernel equivalents (because the packets have to cross the
>> kernel/userland barrier twice).  This may be an issue if you have a
>> very fast Internet connection and an underpowered firewall.
>>
> 
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4634F6DF.40701>