From: Paul Jakma (paulj at domain alphyra.ie)
Date: Mon 29 Jul 2002 - 18:17:12 IST
On Mon, 29 Jul 2002, Philip Reynolds wrote:
> 2. Intuitive syntax
>
> ipfw's syntax is very intuitive, at least compared to ipchains,
> where rules look like a bunch of garble without consulting the
> manpage for 50% of the switches. To someone with a decent working
> knowledge of networking and firewalls, it's fairly easy to see
> what's happening when given a list of ipfw rules, unlike ipchains.
true.
however, there are quite a few setup scripts available for
ipchains/iptables, which can make config just as easy as ipfw.
> 3. Other functions
> ipfw has other functions that you might want, including traffic
> shaping using dummynet and filtering by UID/GID. Something to think
> about for those esoteric needs.
iptables has these too.
> utter bitch to get advanced stateful connections working correctly
> with NAT (that's using the divert option). PPP's rendition of nat
> seems to work fine with it, but it seems to want workarounds and
> hacks to work properly with it's ``divert'' option with the
> out-of-the-box supplied NAT.
works fine with iptables.
> rendition of Linux's firewall, however I would question running
> anything as immature as it in mission-critical situations.
isnt the ipfw code in BSD brand-new aswell? (the old code was
rewritten for OpenBSD recently due to licensing concerns).
the above is a bit FUD'ish.
> Phil.
they're all much of a muchness really. probably best thing is:
- if you're more comfortable with BSD -> ipfw
- ditto for linux -> iptables
--paulj
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:18:06 GMT