Re: [ILUG] ipfw vs ipchains vs iptables

From: Paul Jakma (paul at domain clubi.ie)
Date: Mon 29 Jul 2002 - 21:46:40 IST

• Next message: Philip Reynolds: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Previous message: Kirk Bollinger: "Re: [ILUG] tcpd"
• In reply to: Philip Reynolds: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Next in thread: Philip Reynolds: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Reply: Philip Reynolds: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

On Mon, 29 Jul 2002, Philip Reynolds wrote:

> Well, that doesn't help you reading your listing.

i can read it fine. :)

if you want readability - a good script is worth just as much.

> > isnt the ipfw code in BSD brand-new aswell? (the old code was
> > rewritten for OpenBSD recently due to licensing concerns).
>
> I think you're talking about IPFilter, and OpenBSD's new PF code.
> Now who's talking FUD :)

ah doh! yes.

i thought the firewalling code on all the BSDs was fairly related -
sorry. So FreeBSD's ipfw is not encumbered in the same way the old
OBSD firewalling was?

> Perhaps, although I think when seriously considering something like
> a firewall, tried and trusted means a hell of a lot. IPFilter would
> probably win that race.

to an extent, i guess so, yes. but i've a few boxes with reasonable
uptimes that run netfilter/iptables. (i've one that has crashed twice
now after 60+ day uptimes. but that doesnt seem to be netfilter).

course, there's a lot more that can go wrong with a firewall than the
firewall code. in that case get 2 boxes and heartbeat them.

> I was talking in terms of the actual firewall. If the company in
> question knows plenty about Linux and nothing about FreeBSD, I'd go
> with a Linux box, merely because when something goes wrong (that
> isn't got to do with ipfw/ipchains/ipfilter), then someone knows
> how to fix it.

indeed. couldnt agree more.

(that's the nice thing about *nix - fact we /can/ have nit-picking
arguments about which *nix and firewall code is better).

> As I said before, I have little to no in-depth experience with
> netfilter, I'm aware of it's basic capabilities and had a quick
> look at it's features in early 2.4 editions but that's it.

i've no experience of ipfw. (closest i've come is looking at IPFilter
for IRIX - but it had a problem in that it wasnt maintained
anymore. however, while the englishy syntax is nice, i dont think
iptables command <args> syntax is a big obstacle).

anyway.. there's choice. and as i understand it, with the advent of
netfilter/iptables there's now almost nothing between them from a
technical POV. (apart from ipfw being in use a lot longer).

regards,

-- 
Paul Jakma	paul at domain clubi.ie	paul at domain jakma.org	Key ID: 64A2FF6A
Fortune:
What a strange game.  The only winning move is not to play.
		-- WOP, "War Games"

• Next message: Philip Reynolds: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Previous message: Kirk Bollinger: "Re: [ILUG] tcpd"
• In reply to: Philip Reynolds: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Next in thread: Philip Reynolds: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Reply: Philip Reynolds: "Re: [ILUG] ipfw vs ipchains vs iptables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:18:06 GMT