When posed with a choice of ipchains or ipfw (that's FreeBSD
specific, IPFilter is the portable one), I have no hesitation in
saying ipfw each and every time.
1. Stateful Firewalling
You're looking for stateful firewalling, not only does this make
your rulesets easier to read and manage, but it makes life easier in
the security ruleset department as well.
2. Intuitive syntax
ipfw's syntax is very intuitive, at least compared to ipchains,
where rules look like a bunch of garble without consulting the
manpage for 50% of the switches. To someone with a decent working
knowledge of networking and firewalls, it's fairly easy to see
what's happening when given a list of ipfw rules, unlike ipchains.
3. Other functions
ipfw has other functions that you might want, including traffic
shaping using dummynet and filtering by UID/GID. Something to think
about for those esoteric needs.
One thing that I've come across with ipfw is, it's a complete and
utter bitch to get advanced stateful connections working correctly
with NAT (that's using the divert option). PPP's rendition of nat
seems to work fine with it, but it seems to want workarounds and
hacks to work properly with it's ``divert'' option with the
out-of-the-box supplied NAT.
I can't speak for ipfilter/netfilter as I've never used it. The
stateful firewalling at least has been remedied in the 2.4
rendition of Linux's firewall, however I would question running
anything as immature as it in mission-critical situations.
Matthew French's [mfrench42 at yahoo.co.uk] 56 lines of wisdom included:
> We are looking at a firewall solution for a customer. We can provide a Nokia
> Checkpoint box, but the client is (obviously) concerned about the cost. We
> could also provide our own server and use the respective BSD or Linux
> firewalling functionality.
RFC Networks tel: 01 8832063
www.rfc-networks.ie fax: 01 8832041
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!