Re: [ILUG] ipfw vs ipchains vs iptables

From: Philip Reynolds (phil at domain redbrick.dcu.ie)
Date: Mon 29 Jul 2002 - 18:04:47 IST

• Next message: Paul Jakma: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Previous message: Paul Jakma: "Re: [ILUG] web amusements..."
• In reply to: Matthew French: "[ILUG] ipfw vs ipchains vs iptables"
• Next in thread: Paul Jakma: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Reply: Paul Jakma: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Hi Matthew,

When posed with a choice of ipchains or ipfw (that's FreeBSD
specific, IPFilter is the portable one), I have no hesitation in
saying ipfw each and every time.

1. Stateful Firewalling

You're looking for stateful firewalling, not only does this make
your rulesets easier to read and manage, but it makes life easier in
the security ruleset department as well.

2. Intuitive syntax

ipfw's syntax is very intuitive, at least compared to ipchains,
where rules look like a bunch of garble without consulting the
manpage for 50% of the switches. To someone with a decent working
knowledge of networking and firewalls, it's fairly easy to see
what's happening when given a list of ipfw rules, unlike ipchains.

3. Other functions
ipfw has other functions that you might want, including traffic
shaping using dummynet and filtering by UID/GID. Something to think
about for those esoteric needs.

One thing that I've come across with ipfw is, it's a complete and
utter bitch to get advanced stateful connections working correctly
with NAT (that's using the divert option). PPP's rendition of nat
seems to work fine with it, but it seems to want workarounds and
hacks to work properly with it's ``divert'' option with the
out-of-the-box supplied NAT.

I can't speak for ipfilter/netfilter as I've never used it. The
stateful firewalling at least has been remedied in the 2.4
rendition of Linux's firewall, however I would question running
anything as immature as it in mission-critical situations.

Phil.

Matthew French's [mfrench42 at domain yahoo.co.uk] 56 lines of wisdom included:
> We are looking at a firewall solution for a customer. We can provide a Nokia
> Checkpoint box, but the client is (obviously) concerned about the cost. We
> could also provide our own server and use the respective BSD or Linux
> firewalling functionality.

-- 
  Philip Reynolds        
   RFC Networks          tel: 01 8832063
www.rfc-networks.ie      fax: 01 8832041

• Next message: Paul Jakma: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Previous message: Paul Jakma: "Re: [ILUG] web amusements..."
• In reply to: Matthew French: "[ILUG] ipfw vs ipchains vs iptables"
• Next in thread: Paul Jakma: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Reply: Paul Jakma: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:18:06 GMT