firewalling choice
Fernando Gleiser
fgleiser at cactus.fi.uba.ar
Fri May 2 12:00:20 PDT 2003
On Fri, 2 May 2003, Matthew Seaman wrote:
>
> The biggest difference between the two from the user perspective is
> that ipfw(8) is a 'first match wins' type ruleset, whereas ipf(8) is
> 'last match wins'. Read the manual pages to find out which syntax
This is not true, ipf can do first-match ot last-match. Or you can
mix them. look at the 'quick' keyword for the details.
With ipf you can make the ruleset tree-shaped instead of a linear list
(rule groups) and that speeds the search in very long rulesets.
Some people told me you can do the same with ipfw 'skipto' keyword,
but I don't see how to do that in a simple way.
Both ipf and ipfw and very powerful, I prefer ipf for compatibility reasons
(I have some old SPARC firewalls runing ipf over Solaris). Besides, when I
started using it (more than 6 years ago, back to 2.2.X) ipf was the way to
go if you wanted NAT.
Now I mix it with ipfw to use dummynet in the FreeBSD boxes. IPF does
filtering/NAT and ipfw does shaping.
If you can afford it, my advise is to try both and see which one you like
more, or fits better your particular needs.
Fer
More information about the freebsd-questions
mailing list