firewalling choice

Matthew Seaman m.seaman at infracaninophile.co.uk
Fri May 2 07:57:58 PDT 2003 

On Fri, May 02, 2003 at 02:19:25PM +0100, Vince Hoffman wrote:
> Hi, 
> 	i'm looking at implementing a freebsd (4.8-RELEASE) firewall. Since
> Freebsd supports ipfw and ipf I was wondering if either one has a particular
> advantage over the other. Can anyone point me at a comparison/give me an
> informed opinion ?

This has become a FAQ on this list over the last few weeks.
Unfortunately, there is no definitive answer as to which one is
"better", nor is there huge disparity between the sizes of the
constituencies that favour one over the other.

Either ipfw or ipf will almost certainly do what you want: which one
you choose is pretty much a matter of taste nowadays.  Oh, there are
anecdotal reports that one will out-perfom the other at a particular
task, and that the other is better for something else, but for a
normally loaded machine just doing packet filtering and/or NAT, the
differences are probably not going to be significant.

The biggest difference between the two from the user perspective is
that ipfw(8) is a 'first match wins' type ruleset, whereas ipf(8) is
'last match wins'.  Read the manual pages to find out which syntax
suits you best.  If you can't decide, toss a coin.  In extremis, you
can run *both* ipfw and ipf, but check the archives for details of how
they interact and what order the rulesets get applied to packets in
various situations.  If you choose ipfw(8), do read the section in the
man page about enabling ipfw2 support --- it offers some handy new
syntax for writing rulesets and personally I think ipfw2 should be the
default ipfw version in 4.x by now (as it is in FreeBSD 5.x).

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030502/0bc5db0f/attachment.bin

More information about the freebsd-questions mailing list