ipf or ipfw?

Jan Stary jsta6559 at artax.karlin.mff.cuni.cz
Fri Jan 9 13:34:42 PST 2004


I am deciding whether to use ipf or ipfw. I have had a brief look
at them and I like them both. I am quite a newbie in this.

Is any one of them particularly better for the following
situation? One standalone server, hosted by an ISP; only want to
protect myself (explicitly allow the services I provide); no need
for traffic shaping; want to do some traffic statistics, though.

If you would use _one_ of them rather than the other for such a
task, please tell me why (I mean, point me to the docs saying

Also, I am a bit confused by the kernel config for this: the
names of the IPFILTER* and IPFIREWALL* make me think I need
IPFILTER* to be able to run ipf, and IPFIREWALL* to run ipfw.
But the kernel functionality needed to run them is probably very
much the same, so what am I missing? Didn't find this in the
Handbook. Which of these should I enable to run ipf(w)?
Point me to the docs, please.

device		bpf		# Berkeley packet filter
options 	IPSEC			#IP security
options 	IPSEC_ESP		#IP security (crypto; define w/ IPSEC)
options 	IPSEC_DEBUG		#debug for IP security
options 	MROUTING		# Multicast routing
options 	IPFIREWALL		#firewall
options 	IPFIREWALL_FORWARD	#enable transparent proxy support
#options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
options 	IPDIVERT		#divert sockets
options 	IPFILTER		#ipfilter support
options 	IPFILTER_LOG		#ipfilter logging
options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
options 	IPSTEALTH		#support for stealth forwarding

	Thank you


More information about the freebsd-questions mailing list