ipfw2 or ipfilter
Hi! I'm looking into if I should go with ipfw2 or ipfilter, anyone that could point me to some links or tell me pro's and con's (both feature and performance wise). Kind Regards, Stefan Cars -- Stefan Cars Snowfall Communications http://www.snowfall.se Tel: +46 (0)18 430 80 50 - Direct: +46 (0)18 430 80 51 Mobile: +46 (0)708 44 36 00 - Fax: +46 (0)708 44 36 04 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 or ipfilter
On Mon, Aug 16, 2004 at 06:46:23PM +0200, Stefan Cars wrote: I'm looking into if I should go with ipfw2 or ipfilter, anyone that could point me to some links or tell me pro's and con's (both feature and performance wise). Unless your running quite a complicated setup or have specific requirements then there isn't really any preference for one over the other. If you're running a typical home system, even with say, a 10Mbit/s cable modem connection, any reasonably modern FreeBSD machine is going to be able to do firewall filtering without breaking into a sweat. You'ld need so quite fancy hardware to detect performance differences between the two. Probably the biggest reason to choose one over the other is simple personal preference between the different rule-set styles. ipfw is 'first match wins' (hence rule sets tend to be ordered from most to least specific). ipfilter is 'last match wins', so the most general rules tend to go at the top of rulesets -- although there are special 'quick' rules that can shortcut the process. In general both firewalls have very similar functionality. ipfw(8) can act as a filtering bridge and it can provide weighted fair queuing and bandwidth limited pipes in conjunction with dummynet(4). ipfilter seems to have more complete IPv6 support than ip6fw. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpqIxTh2d78B.pgp Description: PGP signature
ipfw2/dummynet + ipfilter not working together ?
Hi, I have 4.9-RC router on a ADSL access and currently using ipfilter for statefull filtering+nat that is working well. ipfw2 is configured for a long time with a pass all policy. When i try to configure a pipe with queues for traffic shaping as described in the following message (see URL) the TCP connection gets frozen : http://mail.gnu.org/archive/html/mldonkey-users/2003-01/msg00911.html I tried to diagnose what happens and discovered that some packets are said accepted by IPfilter but never gets out of tun0 with pipe/queue activated. If i delete all IPFilter rules (pass all policy) traffic shaping is working right. Everything is working fine if i flush all pipes/queues from ipfw2 configuration but i have no traffic shaping. :/ So, my question is : Is there some incompatabilities between ipfw2/dummynet and IPFilter or maybe there is a bug somewhere ? -- Best regards, Artur Pydo. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2/dummynet + ipfilter not working together ?
On Mon, Oct 06, 2003 at 11:20:20PM +0200, Artur Pydo wrote: So, my question is : Is there some incompatabilities between ipfw2/dummynet and IPFilter or maybe there is a bug somewhere ? I use ipf for filtering and ipfw2 for dummynet without a problem - sounds like a problem with the dummynet side if you have ipf running ok and ipfw2 with an allow all policy. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
