Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Peter Pentchev (roamringlet.net)
Date: Tue Aug 21 2001 - 05:58:39 CDT
On Tue, Aug 21, 2001 at 05:55:44AM -0500, D J Hawkey Jr wrote:
> On 21 Aug 2001 09:42:18 +0000, wkbfreebie.xs4all.nl wrote:
> > On Tue, Aug 21, 2001 at 11:34:36AM +0200, Carroll, D. (Danny) wrote:
> > > I've been playing with both of these and I was wondering why are both
> > > available?
> > > They *seem* to do almost the same thing although ipfw is much more
> > > *tweakable*...
> > >
> > > What's the difference between the two and how should I decide which I
> > > should be using...?
> > Largely it is a matter of taste. Ipfilter is multiplatform, ipfw is
> > FreeBSD-only. You can also combine the 2 (e.g. if you want IPfilter and
> > dummynet at the same time).
> It's also a matter of efficiency; ipfilter does it all in the kernel, as
> opposed to the packets having to go to userland and back for 'ipfw' to
> play with them.
ipfw does not process packets in userland.
natd, as used with ipfw, processes NAT'd (diverted) packets in userland.
ipnat, as used with ipfilter, processes NAT'd (diverted) packets in the kernel.
For bare firewall functionality, without NAT, ipfw and ipfilter should
> It therefore seems to me ipfilter might be more secure, as it can't be
> compromised by userland?
Again, this only applies to NAT.
> Personally, I think ipfilter more "tweakable" and/or capable, but that's
> just my opinion.
Both have their strong and weak points.
-- I've heard that this sentence is a rumor.
To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message