Firewall

[Julian Elischer]

Peter Jeremy wrote:
> On 2007-Apr-28 07:08:18 -0500, Jack Barnett <jackbarnett at gmail.com> wrote:
>> I plan on using NAT so both internal networks can get to the internets.
>>
>> In the FreeBSD documentation I see there are 3 firewalls, IPFIREWALL,
>> IPFILTER and PF (BF?).   I just need to do basic filtering and just a few
>> port forwards.  Nothing to fancy.  Which one would be recommended?
> 
> Basically any of them will do what you want.  The major differences are:
> - IPFW (IPFIREWALL) is FreeBSD only.  Note that the NAT is in userland.

though that is just fine for your average DSL link.. it is in kernel in 7.0

> - IPfilter is the most portable.
> - PF runs on *BSD.  Note that (AFAIK) all proxies (eg FTP) are in userland.
> 
> Userland NAT or proxies incur significantly higher overheads than
> in-kernel equivalents (because the packets have to cross the
> kernel/userland barrier twice).  This may be an issue if you have a
> very fast Internet connection and an underpowered firewall.
>