Firewall
Robert Watson
rwatson at FreeBSD.org
Mon Apr 30 09:58:19 UTC 2007
On Sun, 29 Apr 2007, Peter Jeremy wrote:
> On 2007-Apr-28 07:08:18 -0500, Jack Barnett <jackbarnett at gmail.com> wrote:
>> I plan on using NAT so both internal networks can get to the internets.
>>
>> In the FreeBSD documentation I see there are 3 firewalls, IPFIREWALL,
>> IPFILTER and PF (BF?). I just need to do basic filtering and just a few
>> port forwards. Nothing to fancy. Which one would be recommended?
>
> Basically any of them will do what you want. The major differences are:
> - IPFW (IPFIREWALL) is FreeBSD only. Note that the NAT is in userland.
One of the big selling points of IPFW is integration with DUMMYNET, which
offers bandwidth management facilities not present in the other systems. I
understand there may be efforts afoot to add DUMMYNET support to other
firewall packages, but don't have any details. I have to say that DUMMYNET is
the main selling point for ipfw on my servers -- being able to rate limit
arbitrary IP addresses, port numbers, etc, both in terms of inbound and
outbound traffic is invaluable.
Robert N M Watson
Computer Laboratory
University of Cambridge
> - IPfilter is the most portable.
> - PF runs on *BSD. Note that (AFAIK) all proxies (eg FTP) are in userland.
>
> Userland NAT or proxies incur significantly higher overheads than
> in-kernel equivalents (because the packets have to cross the
> kernel/userland barrier twice). This may be an issue if you have a
> very fast Internet connection and an underpowered firewall.
>
> --
> Peter Jeremy
>
More information about the freebsd-net
mailing list