Firewall

[Robert Watson]

On Sun, 29 Apr 2007, Peter Jeremy wrote:

> On 2007-Apr-28 07:08:18 -0500, Jack Barnett <jackbarnett at gmail.com> wrote:
>> I plan on using NAT so both internal networks can get to the internets.
>>
>> In the FreeBSD documentation I see there are 3 firewalls, IPFIREWALL,
>> IPFILTER and PF (BF?).   I just need to do basic filtering and just a few
>> port forwards.  Nothing to fancy.  Which one would be recommended?
>
> Basically any of them will do what you want.  The major differences are:
> - IPFW (IPFIREWALL) is FreeBSD only.  Note that the NAT is in userland.

One of the big selling points of IPFW is integration with DUMMYNET, which 
offers bandwidth management facilities not present in the other systems.  I 
understand there may be efforts afoot to add DUMMYNET support to other 
firewall packages, but don't have any details.  I have to say that DUMMYNET is 
the main selling point for ipfw on my servers -- being able to rate limit 
arbitrary IP addresses, port numbers, etc, both in terms of inbound and 
outbound traffic is invaluable.

Robert N M Watson
Computer Laboratory
University of Cambridge

> - IPfilter is the most portable.
> - PF runs on *BSD.  Note that (AFAIK) all proxies (eg FTP) are in userland.
>
> Userland NAT or proxies incur significantly higher overheads than
> in-kernel equivalents (because the packets have to cross the
> kernel/userland barrier twice).  This may be an issue if you have a
> very fast Internet connection and an underpowered firewall.
>
> -- 
> Peter Jeremy
>