firewall on freebsd

[Ean Kingston]

On June 24, 2005 09:33 am, Khanh Cao Van wrote:
> I'm going to learn about the freebsd firewall . In the handbook list
> some of them and I could not find out what is the best . So I decided
> to post here hoping to gain some of your opinion and experience .
> I would like to know what firewall was the most wanted ? I have used
> Linux several months and IP tables was a good statefull firewall .
> What about in freeBSD ?

All three are well written and all three pretty much do the same thing. Some 
things you may want to consider when choosing which firewall product to use:

IPFW is part of FreeBSD and only runs on FreeBSD.  Filtering is implemented in 
the kernel, NAT is a user-land daemon.

IPFilter is written to work with many operating systems (FreeBSD and Solaris 
are two examples). Filtering and NAT both run in the kernel.

IPF was written for OpenBSD and later ported to FreeBSD. IPF came into 
existence because of disagreements between certain members of the OpenBSD 
team and the author of IPFilter. Filtering is done in the kernel and I 
believe NAT is also in-kernel.

I have used both IPFW and IPFilter professionally. I prefer IPFW but only 
because I am more used to its filtering language. I have not found a 
sufficiently good technical reason for choosing one over the other.

For anyone who wants to start the in-kernel vs user-land NAT argument, I've 
already been through it and there are valid arguments for both sides. So, I 
won't get into it again.

-- 
Ean Kingston

E-Mail: ean AT hedron DOT org
URL: http://www.hedron.org/
I am currently looking for work. If you need competent system/network 
administration please feel free to contact me directly.