Date: Mon, 17 Sep 2001 00:45:39 -0600 From: Brett Glass <brett@lariat.org> To: Giorgos Keramidas <charon@labs.gr>, Jason Anthony Mifsud <jamifsud@superrpg.com> Cc: chat@FreeBSD.ORG Subject: Re: ipfw and ipf and pf Message-ID: <4.3.2.7.2.20010917003434.046f6490@localhost> In-Reply-To: <20010915140313.A45993@hades.hell.gr> References: <20010914232949.A45136@FATE> <20010914232949.A45136@FATE>
next in thread | previous in thread | raw e-mail | index | archive | help
At 05:03 AM 9/15/2001, Giorgos Keramidas wrote: >You seem to be prejudiced on this matter. >Why are you saying that ipf or pf[1] is more robust? Many people think so. This may be because, for a long time, ipfw did not have stateful packet examination -- and the statefulness it now incorporates isn't as flexible as ipf's. Also, the mechanism it uses for NAT -- "divert sockets" -- seems to send every packet on a trip through userland. This can be inefficient under high loads. As for pf: it's very much like ipf in terms of rule syntax but is in a different place in the pipeline architecturally. >Both ipf and ipfw can be a descent firewall. They have similar features, and >what can be done in one of them, is also possible with the other for more or >Less all their features. There is on thing that I know ipfw does, which ipf >cannot handle, and that it 'pipes'; a means of bandwidth-limiting. True. However, to be fair, the other BSDs do provide different facilities for bandwidth limiting. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20010917003434.046f6490>