Re: ipf / ipfw Which to use?

From: Peter Pentchev (
Date: 08/21/01

Date: Tue, 21 Aug 2001 13:58:39 +0300
From: Peter Pentchev <>
To: D J Hawkey Jr <>

On Tue, Aug 21, 2001 at 05:55:44AM -0500, D J Hawkey Jr wrote:
> On 21 Aug 2001 09:42:18 +0000, wrote:
> > On Tue, Aug 21, 2001 at 11:34:36AM +0200, Carroll, D. (Danny) wrote:
> > > I've been playing with both of these and I was wondering why are both
> > > available?
> > > They *seem* to do almost the same thing although ipfw is much more
> > > *tweakable*...
> > >
> > > What's the difference between the two and how should I decide which I
> > > should be using...?
> >
> > Largely it is a matter of taste. Ipfilter is multiplatform, ipfw is
> > FreeBSD-only. You can also combine the 2 (e.g. if you want IPfilter and
> > dummynet at the same time).
> It's also a matter of efficiency; ipfilter does it all in the kernel, as
> opposed to the packets having to go to userland and back for 'ipfw' to
> play with them.

ipfw does not process packets in userland.

natd, as used with ipfw, processes NAT'd (diverted) packets in userland.
ipnat, as used with ipfilter, processes NAT'd (diverted) packets in the kernel.

For bare firewall functionality, without NAT, ipfw and ipfilter should
perform similarly.

> <extrapolation>
> It therefore seems to me ipfilter might be more secure, as it can't be
> compromised by userland?
> </extrapolation>

Again, this only applies to NAT.

> Personally, I think ipfilter more "tweakable" and/or capable, but that's
> just my opinion.

Both have their strong and weak points.


I've heard that this sentence is a rumor.
To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message