Luigi Rizzo wrote:
> for once i should say:
>
> try ipfw, it does most of the things ipfilter does (except for
> in-kernel nat) and something more (dummynet and fair queueing)
Yes, I actually started with ipfw but I now migrate to ipf. I
find ipfw and the DIVERT socket quite elegant, but still, I
migrate. The reasons I migrate to ipf (and the reason you might
want to think about this too) are:
- ipf is accross all *BSD's
- ipf is more likely to play well with IPsec
- ipf is (arguably) more secure
These points are actually dependent. The maintenance of ipf sounds
pretty strong to me, so I'd trust it more. I am generally worried
about too much splintering between the *BSDs, and I prefer what
leaves me compatible. For PicoBSD issues there is a great benefit
of staying somewhat compatible to NetBSD, namely NetBSD's support
of other machine architectures. StrongARM or MIPS bases systems
are often smaller and cheaper. The IPsec/ipf* integration is a
concern of everyone who builds a VPN-gateway and firewall. The KAME
people lean towards better IPsec SPD integration with ipf, because
ipf is a platform used accross all *BSDs.
Finally, for dummynet and fair queuing I prefer using ALTQ, for
similar reasons. After I have survived the pain of saying goodbye
to ipfw, I wonder why FreeBSD tries to make its own thing with
ipfw instead of just riding the wave of ipf.
regards
-Gunther
--
Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org
Medical Information Scientist Regenstrief Institute for Health Care
Adjunct Assistent Professor Indiana University School of Medicine
tel:1(317)630-7960 http://aurora.regenstrief.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-small" in the body of the message