matthew zeier writes:
> Can anyone tell me the differences between ipf and ipfw ? Which is
> "better" ?
I've used both ipfilter and ipfw and found them both to be usable. I'm
currently using ipfilter on both FreeBSD and Solaris 2.6. Ipfilter rule
groups are a good idea but could be better. I don't remember if ipfw
has something similar.
The NAT facility (ipnat) of ipfilter is practically undocumented for
all but the most common configurations. As far as I can tell, some of
the features (e.g. some in-kernel proxies) actually are undocumented.
If you just want to do something simple, such as map a home network
behind a gateway to your ISP, you can copy one of the trivial examples.
I've never used ipfw's NAT facility (natd) and don't know anything about
its rules.
For heavy NAT traffic, I prefer ipnat because it's in-kernel whereas
natd is a user-space daemon. Most any modest unix box can route IP
practically in its sleep. Ipnat adds an insignificant additional load
since it just twiddles a few bits in the packet as it goes by on the
stack. If I understand natd's implementation correctly, it pushes each
packet out through a pseudo device where it is read, and then rewritten,
by natd. That requires 2 context switches per packet, not to mention
the copying and recopying of the packet data.
Similarly, ipfilter does its filtering in the kernel. I don't remember
if ipfw does its filtering in the kernel or if it uses a user-space
daemon like it does for NAT.
I'd like to hear other opinions on this subject.
Don
--
Don Krapf
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message