View Single Post
  #9   (View Single Post)  
Old 18th July 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Quote:
Originally Posted by ivanatora View Post
I thought I have to do 'options IPFILTER' in order to have ipf working Silly me, that was written in the howto
Yes, you do. But why do you have IPFILTER (ipf) and IPFIREWALL (ipfw) in the same kernel?

Quote:
Okay, so IPF is old stuff, what about PF? I'm wondering which of the two - ipfw and pf is better as a packet filter and NAT? I have reviewed IPFW and it remains me of iptables in linux - not so hard to get used to it, but I haven't checked PF yet. Is there a major difference between them, like "IPFW can do *that* and PF can't do it" or vice verca?
PF does better stateful filtering, and allows you to select from a "last-rule that matches is the action to take" mode, which is the default, and a "first rule that matches is the action to take" mode, using the quick keyword. It's also more structured in that a rules file has to follow a certain order for the different sections. PF also does all NAT in-kernel. Rulesets are loaded all at once, so changing one rule reloads them all. PF uses ALTQ for traffic shaping/prioritising.

IPFW is more free-form. It uses rule numbers, so you can add/delete individual rules without affecting the rest of the rules. Until FreeBSD 7, all NAT was done in user space, now you can choose userspace or kernel-space. IPFW uses a "first matching rule wins" mode. IPFW supports divert rules that can send packets to any program that listens on a socket. The syntax has grown organically over the years, and can look really messy when doing the really advanced stuff. It uses dummynet for traffic shaping/prioritising, although it can also use the ALTQ framework.

Both are good packet filters. Both have rules syntax that resembles English sentences. Both can be either very simple to use, or very complex to use. Both are under active development.

IPFW is only used by FreeBSD and its derivatives. PF is used by all the BSDs. I'm not sure which MacOS X uses by default.

Oh, and please don't ever compare ipfw to iptables. That's like comparing a Rolls Royce to a golf cart.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote