ipfw vs ipfilter

Max Laier max at love2party.net
Sat Dec 11 08:52:56 PST 2004

On Saturday 11 December 2004 15:23, Castl Troy wrote:
> Hello people,
> Can anybody help me with understanding the difference between ipfilter(ipf)
> and ipfirewall (ipfw).
> Any link to docs or info will greatly help me. I use FreeBSD for almost 5
> years, but i used only ipfw for packet routing
> and never use ipfilter for this. I wonder is it "internal" packet routing
> mechanism or maybe it is just for compatibility with OpenBSD? Sorry if this
> question is so stupid, but i am really dont know what ipfilter is,
> man ipf did not help me with understanding the difference.


There are quite a few differences between IPFW and IPF or PF (which is the 
third firewall software currently available).  The short answer is that IPFW 
provides a lowlevel filter mostly focused on the IP-layer, while PF provides 
also sophisticated filtering on the TCP/UDP layer.  I am not saying it is not 
possible to filter UDP/TCP with IPFW, but not in the degree as it is possible 
with PF.  Included in this point is the focus on static(IPFW) vs. dynamic(PF) 
rules.  IPFW provides dynamic rules, but - when compared to PF - a very 
limited version.  One should note, that IPFW is very fast when evaluation 
static rules, while PF is not as fast with static rules but gains a lot with 
dynamic rules.  Finnally IPFW does not have a network address translation 
unit in-kernel and needs to divert packets to userland utilities to perform 
NAT.  PF does that in the kernel and provides - in conjunction with the 
dynamic rules - very powerful means to do load balancing.

The other obvious difference is the ruleset syntax.  This is mostly a matter 
of choice.  I personally find that PF style rulesets are easier to read.

As for PF vs. IPF, in my opinion IPF just provides a subset of what PF can do.  
As IPF in the tree is still version 3.x it is lacking quite a few of the nice 
new features - address pools e.g.  So if you want to look at an alternative 
to IPFW you better look at PF.

More information about PF, as mentioned in the handbook:

/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20041211/584fbabe/attachment.bin

More information about the freebsd-ipfw mailing list