ipfw vs ipfilter
max at love2party.net
Sat Dec 11 08:52:56 PST 2004
On Saturday 11 December 2004 15:23, Castl Troy wrote:
> Hello people,
> Can anybody help me with understanding the difference between ipfilter(ipf)
> and ipfirewall (ipfw).
> Any link to docs or info will greatly help me. I use FreeBSD for almost 5
> years, but i used only ipfw for packet routing
> and never use ipfilter for this. I wonder is it "internal" packet routing
> mechanism or maybe it is just for compatibility with OpenBSD? Sorry if this
> question is so stupid, but i am really dont know what ipfilter is,
> man ipf did not help me with understanding the difference.
There are quite a few differences between IPFW and IPF or PF (which is the
third firewall software currently available). The short answer is that IPFW
provides a lowlevel filter mostly focused on the IP-layer, while PF provides
also sophisticated filtering on the TCP/UDP layer. I am not saying it is not
possible to filter UDP/TCP with IPFW, but not in the degree as it is possible
with PF. Included in this point is the focus on static(IPFW) vs. dynamic(PF)
rules. IPFW provides dynamic rules, but - when compared to PF - a very
limited version. One should note, that IPFW is very fast when evaluation
static rules, while PF is not as fast with static rules but gains a lot with
dynamic rules. Finnally IPFW does not have a network address translation
unit in-kernel and needs to divert packets to userland utilities to perform
NAT. PF does that in the kernel and provides - in conjunction with the
dynamic rules - very powerful means to do load balancing.
The other obvious difference is the ruleset syntax. This is mostly a matter
of choice. I personally find that PF style rulesets are easier to read.
As for PF vs. IPF, in my opinion IPF just provides a subset of what PF can do.
As IPF in the tree is still version 3.x it is lacking quite a few of the nice
new features - address pools e.g. So if you want to look at an alternative
to IPFW you better look at PF.
More information about PF, as mentioned in the handbook:
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20041211/584fbabe/attachment.bin
More information about the freebsd-ipfw