Re: firewall on FreeBSD
--On June 26, 2005 12:40:14 AM +0100 Alex Zbyslaw <[EMAIL PROTECTED]> wrote: Paul Schmehl wrote: --On June 25, 2005 8:42:24 AM +0200 mess-mate <[EMAIL PROTECTED]> wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the "quick" keyword. The "default" firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. "quick" terminates the rule matching and forces the "quick" rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as "accept" or "deny". No "quick" keyword is needed. Precisely. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Khanh Cao > Van > Sent: Friday, June 24, 2005 9:33 AM > To: freebsd-questions > Subject: firewall on freebsd > > > I'm going to learn about the freebsd firewall . In the handbook list > some of them and I could not find out what is the best . So I > decided > to post here hoping to gain some of your opinion and experience . > I would like to know what firewall was the most wanted ? I have used > Linux several months and IP tables was a good statefull firewall . > What about in freeBSD ? FreeBSD has m0n0wall and it just works. For example, yesterday I setup a site to site VPN using two m0n0wall boxes and it took me less then 5 minutes to reconfigure, in production use systems, the boxes to do it. I think I spent more time trying to generate a suitable 3DES shared key then it did to reconfigure the boxes ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
On 2005-06-26 22:15, Alex Zbyslaw <[EMAIL PROTECTED]> wrote: > Giorgos Keramidas wrote: > >On 2005-06-26 00:40, Alex Zbyslaw <[EMAIL PROTECTED]> wrote: > >>>pf on freebsd does support the "quick" keyword. The "default" > >>>firewall, ipfw, does not. > >>> > >>This makes no sense to me. The two firewalls work very differently. > >>[...] > >> > >You describe very nicely the way rules are matched by two of the three > >different firewalls available on FreeBSD. The description, being very > >correct, *does* make sense. > > > >Why do you say that ``This makes no sense to you'' > > Maybe I'm misreading something, or taking it out of context, but the > statement "ipfw does not support the quick keyword" makes no sense to > me. [...] Am *I* making any more sense, now? Yes, thank you :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
Giorgos Keramidas wrote: On 2005-06-26 00:40, Alex Zbyslaw <[EMAIL PROTECTED]> wrote: Paul Schmehl wrote: pf on freebsd does support the "quick" keyword. The "default" firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. [...] You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you'' Maybe I'm misreading something, or taking it out of context, but the statement "ipfw does not support the quick keyword" makes no sense to me. For me, it implies that somehow ipfw could (or even should) support the quick keyword, and that is nonsensical. The way ipfw rules work there is not only no need to support a quick keyword, but no point in supporting one because all relevant matches are already quick, by definition. Maybe I'm being overly pedantic, but if I had stumbled across this message in an archive search, and knew nothing about FreeBSD firewalls, I could easily take it to mean that ipfw was lacking a feature with respect to pf when, in fact, it wasn't. (There may be plenty of other reasons for picking one firewall or the other, but the "lack" of a quick keyword in ipfw isn't one of them). Am *I* making any more sense, now? --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
* Paul Schmehl <[EMAIL PROTECTED]> [2005-06-24 12:58:51 -0500]: > I've been using pf for a few years now, and I've never had problems > understanding the syntax or how it works (but I also never do NAT, so > that might be the reason it seems easy to me.) Yes, pf is great, but doing NAT with pf is also just as easy to understand. It depends on what you are doing, but for most people using NAT is as easy turning on ip forwarding via sysctl and adding a single line to your pf.conf configuration file ("nat on $ext_if..."). Thomas -- N.J. Thomas [EMAIL PROTECTED] Etiamsi occiderit me, in ipso sperabo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
On 2005-06-26 00:40, Alex Zbyslaw <[EMAIL PROTECTED]> wrote: > Paul Schmehl wrote: > >pf on freebsd does support the "quick" keyword. The "default" > >firewall, ipfw, does not. > > This makes no sense to me. The two firewalls work very differently. > > In pf, each rule is always processed on every packet and the last rule > matching determines the action. "quick" terminates the rule matching > and forces the "quick" rule to be, in effect, the final rule (assuming > the packet matched it). > > ipfw does not match every rule for every packet, rather is processes > down the rules until the packet matches one with a terminating action > such as "accept" or "deny". No "quick" keyword is needed. You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you''? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
Paul Schmehl wrote: --On June 25, 2005 8:42:24 AM +0200 mess-mate <[EMAIL PROTECTED]> wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the "quick" keyword. The "default" firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. "quick" terminates the rule matching and forces the "quick" rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as "accept" or "deny". No "quick" keyword is needed. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
--On June 25, 2005 8:42:24 AM +0200 mess-mate <[EMAIL PROTECTED]> wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the "quick" keyword. The "default" firewall, ipfw, does not. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
On Saturday 25 June 2005 09:17 am, mess-mate wrote: > Andrew L. Gould <[EMAIL PROTECTED]> wrote: > | On Saturday 25 June 2005 05:19 am, Erik Nørgaard wrote: > | > mess-mate wrote: > | > > I've a firewall/router/proxy with openbsd and think to replace > | > > it with freebsd 5.4 > | > > Do you mean freebsd's PF don't support the 'quick' keyword ?? > | > > Thought PF on freebsd and openbsd was identical, isn't ? > | > > | > It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. > | > So if your OBSD is the latest or updated after 3.6, then you > | > might have functionalities not supported yet on FBSD. > | > > | > The basic stuff is all the same, I don't think anyone could > | > survive without 'quick', just as 'pass' and 'block' are supported > | > on both platforms :-) > | > > | > Cheers, Erik > | > | Minor correction: pf is built into the kernel by default in > | FreeBSD 5.4. I think this started with FreeBSD 5.3. It may still > | be in the ports system; but that would be for use in FreeBSD 4* and > | earlier versions of 5*. > | > | Have a great weekend! > | > | Andrew Gould > > The openbsd version is 3.5. > Can i porting the pf config file to freebsd ? > great weekend to. > > mess-mate If you're talking about the pf rules file, I think it should work once you've changed any OS-specific device/interface names. You might compare the file installed by default in FreeBSD to the one you're currently using before you make the change. Also, I wouldn't make the change from a remote location.;-) Best of luck, Andrew Gould ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
Andrew L. Gould <[EMAIL PROTECTED]> wrote: | On Saturday 25 June 2005 05:19 am, Erik Nørgaard wrote: | > mess-mate wrote: | > > I've a firewall/router/proxy with openbsd and think to replace it | > > with freebsd 5.4 | > > Do you mean freebsd's PF don't support the 'quick' keyword ?? | > > Thought PF on freebsd and openbsd was identical, isn't ? | > | > It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So | > if your OBSD is the latest or updated after 3.6, then you might have | > functionalities not supported yet on FBSD. | > | > The basic stuff is all the same, I don't think anyone could survive | > without 'quick', just as 'pass' and 'block' are supported on both | > platforms :-) | > | > Cheers, Erik | | Minor correction: pf is built into the kernel by default in FreeBSD | 5.4. I think this started with FreeBSD 5.3. It may still be in the | ports system; but that would be for use in FreeBSD 4* and earlier | versions of 5*. | | Have a great weekend! | | Andrew Gould | The openbsd version is 3.5. Can i porting the pf config file to freebsd ? great weekend to. mess-mate -- There is a 20% chance of tomorrow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
On Saturday 25 June 2005 05:19 am, Erik Nørgaard wrote: > mess-mate wrote: > > I've a firewall/router/proxy with openbsd and think to replace it > > with freebsd 5.4 > > Do you mean freebsd's PF don't support the 'quick' keyword ?? > > Thought PF on freebsd and openbsd was identical, isn't ? > > It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So > if your OBSD is the latest or updated after 3.6, then you might have > functionalities not supported yet on FBSD. > > The basic stuff is all the same, I don't think anyone could survive > without 'quick', just as 'pass' and 'block' are supported on both > platforms :-) > > Cheers, Erik Minor correction: pf is built into the kernel by default in FreeBSD 5.4. I think this started with FreeBSD 5.3. It may still be in the ports system; but that would be for use in FreeBSD 4* and earlier versions of 5*. Have a great weekend! Andrew Gould ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So if your OBSD is the latest or updated after 3.6, then you might have functionalities not supported yet on FBSD. The basic stuff is all the same, I don't think anyone could survive without 'quick', just as 'pass' and 'block' are supported on both platforms :-) Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
On Sat, Jun 25, 2005 at 08:42:24AM +0200, mess-mate wrote: > I've a firewall/router/proxy with openbsd and think to replace it > with freebsd 5.4 > Do you mean freebsd's PF don't support the 'quick' keyword ?? > Thought PF on freebsd and openbsd was identical, isn't ? I don't know if they're identical, but PF does support the 'quick' keyword on FreeBSD. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpf2HW9SdKtK.pgp Description: PGP signature
Re: firewall on FreeBSD
...snip... | | Personally, I like the "quick" keyword of the OpenBSD firewall, (but not enough to bother | installing it.) | | Paul Schmehl ([EMAIL PROTECTED]) I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? mess-mate -- What I tell you three times is true. -- Lewis Carroll ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
--On June 24, 2005 5:31:13 PM +0100 [EMAIL PROTECTED] wrote: On Friday 24 June 2005 15:31, fbsd_user wrote: Which firewall you select to use should be based on your level of understanding of how information is moved across the internet. Ipfilter is best suited for people who are just learning about firewalling. PF is a little more automated and the rules are very close to IPF's. IPFW is for the advanced firewall users who have expert understanding of the internet. All 3 firewalls support stateful rules and are available in the 5.4 release. Best advice is start with Ipfilter and when you find out that you have needs which are not met by Ipfilter then move over to IPFW. Is this right? If it is, then I'm a lot smarter than I give myself credit for. The first firewall I ever used was ipchains. The I used iptables, but I never learned much about either because Linux obscures the config (unless you're doing something "fancy", you can run "setup" on the cli, click a few check boxes and you're done. When I decided to switch a server over to FBSD, I had to read the man page to understand how pf worked, because there *was* no "setup" to run. I've been using pf for a few years now, and I've never had problems understanding the syntax or how it works (but I also never do NAT, so that might be the reason it seems easy to me.) I started off using IPFW, and found it no harder or easier than ipfilter, which I am using now. Can't remember the reason I changed to ipfilter, think it might have something to do with being easier to use with ipnat, but I am pretty happy with it. Is there anything that ipfw does better than ipfilter to make it preferable? The only thing I would say about firewalls is, know what you're doing and do it at the console. There's nothing like having to get dressed and drive 40 miles to fix a box because you screwed up the firewall config will working remotely to impress upon you the need to work at the console. :-) Personally, I like the "quick" keyword of the OpenBSD firewall, (but not enough to bother installing it.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on freebsd
On 2005-06-24 10:59, Ean Kingston <[EMAIL PROTECTED]> wrote: > For anyone who wants to start the in-kernel vs user-land NAT argument, > I've already been through it and there are valid arguments for both > sides. So, I won't get into it again. Agreed. Most of the people who use FreeBSD in SOHO installations (small office, home office), and have far less than dozens of systems behind a NAT-ting FreeBSD system will very rarely have a chance to notice *ANY* difference between userlevel vs. in-kernel NAT. This top snapshot: http://keramida.serverhive.com/pixelshow-top.txt is from a relatively recent demo-party where ipfw/natd were used in a gateway of more than 100 systems madly downloading files from each other and from the wide Internet. Notice the 97% idle cpu percentage :-) If FreeBSD can handle NAT, packet forwarding, and general connectivity for more than 100 systems and still sit 97% of the time waiting for something interesting to happen, then I'd be surprised if SOHO users with less than 10-15 systems will notice anything :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
On 2005-06-24 10:31, fbsd_user <[EMAIL PROTECTED]> wrote: > Which firewall you select to use should be based on your level of > understanding of how information is moved across the internet. > > Ipfilter is best suited for people who are just learning about > firewalling. PF is a little more automated and the rules are very > close to IPF's. True. > IPFW is for the advanced firewall users who have expert understanding > of the internet. Blatantly false. > All 3 firewalls support stateful rules and are available in the 5.4 > release. Best advice is start with Ipfilter and when you find out that > you have needs which are not met by Ipfilter then move over to IPFW. IPFW or PF is fine for starting too. The choise of the "best" firewall is, these days, more often than not an issue of which one matches the specific application and the taste of the one who is going to set it up, i.e. * DUMMYNET is a very nice bandwidth limiting & shaping tool, which may some times lead to choosing IPFW. * On the other hand, PF/ALTQ may be used to do similar things, so some users will obviously prefer this set of tools for other reasons (for instance, because the like the ruleset style better). * IP Filter, is almost obsoleted by PF on FreeBSD, but it's still one of the most portable firewalls out there (I use it on Solaris all the time, for example). There isn't a "best firewall for all cases". They all have their respective strengths and/or weaknesses. === To the original poster === I say, try them all out and choose the one _YOU_ prefer, for the reasons that are important in _YOUR_ setup. - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: firewall on freebsd
I have been using ipfw for quite some time and I love it. The only issues I have with it are on the NAT side. Without a tool to modify the current nat rules, I can not change them dynamically without editing my config file then doing something like... killall -9 natd ; sleep 2 ; /sbin/natd -f /etc/natd.conf & to reinitialize it. Also natd is resource intensive. I have a PII 266 (not exactly a monster) and natd chews up 20-30 percent of my cpu during the day while nating about 3Mb/sec of traffic. I am planning on switching to pf and implementing a load balanced pair of firewalls using carp and pfsync. I hope that using an in-kernel nat will help performance and give me better control while adding/removing rules. -- Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Khanh Cao Van Sent: Friday, June 24, 2005 8:33 AM To: freebsd-questions Subject: firewall on freebsd I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? Thank for reading :) -- -- Cao Van Khanh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on FreeBSD
On Friday 24 June 2005 15:31, fbsd_user wrote: > Which firewall you select to use should be based on your level of > understanding of how information is moved across the internet. > Ipfilter is best suited for people who are just learning about > firewalling. PF is a little more automated and the rules are very > close to IPF's. > IPFW is for the advanced firewall users who have expert > understanding of the internet. All 3 firewalls support stateful > rules and are available in the 5.4 release. Best advice is start > with Ipfilter and when you find out that you have needs which are > not met by Ipfilter then move over to IPFW. Is this right? I started off using IPFW, and found it no harder or easier than ipfilter, which I am using now. Can't remember the reason I changed to ipfilter, think it might have something to do with being easier to use with ipnat, but I am pretty happy with it. Is there anything that ipfw does better than ipfilter to make it preferable? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Khanh Cao > Van > Sent: Friday, June 24, 2005 9:33 AM > To: freebsd-questions > Subject: firewall on freebsd > > > I'm going to learn about the freebsd firewall . In the handbook list > some of them and I could not find out what is the best . So I > decided > to post here hoping to gain some of your opinion and experience . > I would like to know what firewall was the most wanted ? I have used > Linux several months and IP tables was a good statefull firewall . > What about in freeBSD ? > > Thank for reading :) > -- > -- > Cao Van Khanh > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on freebsd
On Friday 24 June 2005 10:59 am, Ean Kingston wrote: > IPF was written for OpenBSD and later ported to FreeBSD. IPF came into > existence because of disagreements between certain members of the OpenBSD > team and the author of IPFilter. Filtering is done in the kernel and I > believe NAT is also in-kernel. The OpenBSD packet filter is known as pf, not ipf. It exists in FreeBSD as pf. I have to say that I find it has some very useful features, though they are outside the mainstream firewall feature set. For instance, authpf. When you log into the firewall (usually via ssh), if the account's login type shell is authpf, a special set of firewall rules get loaded for the IP address the client is connecting from. I have used pf and ipfw, and they're both fine. If I had to pick, I'd choose pf because I like that it uses a seperate configuration file, rather than a shell script to load its rules. I'm not an expert on either. Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall on freebsd
On June 24, 2005 09:33 am, Khanh Cao Van wrote: > I'm going to learn about the freebsd firewall . In the handbook list > some of them and I could not find out what is the best . So I decided > to post here hoping to gain some of your opinion and experience . > I would like to know what firewall was the most wanted ? I have used > Linux several months and IP tables was a good statefull firewall . > What about in freeBSD ? All three are well written and all three pretty much do the same thing. Some things you may want to consider when choosing which firewall product to use: IPFW is part of FreeBSD and only runs on FreeBSD. Filtering is implemented in the kernel, NAT is a user-land daemon. IPFilter is written to work with many operating systems (FreeBSD and Solaris are two examples). Filtering and NAT both run in the kernel. IPF was written for OpenBSD and later ported to FreeBSD. IPF came into existence because of disagreements between certain members of the OpenBSD team and the author of IPFilter. Filtering is done in the kernel and I believe NAT is also in-kernel. I have used both IPFW and IPFilter professionally. I prefer IPFW but only because I am more used to its filtering language. I have not found a sufficiently good technical reason for choosing one over the other. For anyone who wants to start the in-kernel vs user-land NAT argument, I've already been through it and there are valid arguments for both sides. So, I won't get into it again. -- Ean Kingston E-Mail: ean AT hedron DOT org URL: http://www.hedron.org/ I am currently looking for work. If you need competent system/network administration please feel free to contact me directly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: firewall on FreeBSD
Which firewall you select to use should be based on your level of understanding of how information is moved across the internet. Ipfilter is best suited for people who are just learning about firewalling. PF is a little more automated and the rules are very close to IPF's. IPFW is for the advanced firewall users who have expert understanding of the internet. All 3 firewalls support stateful rules and are available in the 5.4 release. Best advice is start with Ipfilter and when you find out that you have needs which are not met by Ipfilter then move over to IPFW. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Khanh Cao Van Sent: Friday, June 24, 2005 9:33 AM To: freebsd-questions Subject: firewall on freebsd I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? Thank for reading :) -- -- Cao Van Khanh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"