IPF or IPFW ?

Hecate · 12-05-2002 4:23pm #1

any bsd users out there had any experience with these two types of firewalls ?

I'm just wondering which one to use as the firewall on my gateway (nat) box here.

Ronin · 12-05-2002 9:33pm

i used ipfw on my freebsd box's and it works pretty well. Nice statefulling firewalling can be done. Natting would probs be pretty easy as well although i've never looked at doing nating..man page should have everything u need..

Paul

Gerry · 12-05-2002 9:55pm

On the subject of ipfw, I tried to get nat working in conjunction with ipfw today. Its a custom kernel, and I'm not sure if ip_divert is compiled into the kernel. ( the kernel was built on another machine anyway ).

I had this ipfw setup working perfectly before this natd requirement was introduced.
Anyway, the first rule I have to put in is:

ipfw add 99 divert natd all from any to any via ep0

(don't have the machine in front of me, but I did have the syntax right at the time, I had the natd man page open

)

ipfw did not like this however, and said something like getsockopt error IPFW_ADD.

Is there another way to check that ip divert is compiled in? I know that ipforwarding is compiled in, but what I understand from the ipfw fwd command is that it leaves the source address in the packet untouched, and just changes the next hop on it, so if you are using private ip's behind the firewall, it won't work, because the remote machine won't be able to route back to your private ip. I could be wrong though.. Any help greatly appreciated.

Hecate · 12-05-2002 11:28pm

this might be of some use:

http://www.freebsd.org/handbook/natd.html

The above guide is only aimed at a situation where your machine is acting as a gateway to a leased line or whatever (I think), not if you're using ppp or pppoe. Then it's just a simple case of nat enable YES in ppp.conf.

Rew · 13-05-2002 11:54am

Iv used IPF with OpenBSD, never had hassle with it but they have moved to pf now... which is a pain to write rules for (not very verbose errors) but seems to be better agian...

regi · 13-05-2002 2:33pm

You could have a look at http://whatexit.org/tal/mywritings/freefilters.html tho its fairly minimal.

I'd tend to use ipfw for freebsd and ipf or more likely pf on openbsd - what OS are you running?

Hecate · 13-05-2002 8:14pm

running Freebsd 4.6.

I've actually set up a pretty decent firewall with ipfw, with keep states and such; but there is a niggling problem in that I can't ping anything, I've heard in ipf that it is possible to configure it to allow you to ping hosts, but not be ping-able yourself.

Just random paranoia about how evil icmp is, but hey, paranoia is good

Gerry · 13-05-2002 10:51pm

I threw a 4.6 kernel with ipdivert onto the machine today, and all is working perfectly

hecate, I think you may be able to do something like:

ipfw add allow icmp from myip to any keep-state

I think that would work? I'll test this on the machine during the week, since we want to be able to ping it, but not ping from it, the reverse of your situation

Snaggle · 21-05-2002 9:27pm

IPFW can do some fancy stuff that IPF doesn't do, such as traffic shaping filtering by UID/GID and so on. If you want to do these things then the obvious choice is IPFW (or use IPFW for these and IPF for everything else). If you don't however IPF is a much more mature firewall. It's cleverer about things such as optimising repeated/overlapping rules, it caches most commonly hit rules, gives more statistical information and so on. It has the most mature stateful packet filtering of any open source firewall, and if you have ipfstat compiled with the -t option you can use it as a ip traffic viewer (such as iptraf or trafshow), but since ipfstat gets the information straight off the state information it means 1) you don't have to use something like the bpf interface to check traffic stats since they affect performance more 2) even when you're not running your traffic viewer stats on a connection is kept so if you just start up ipfstat -t you can see how much traffic has already gone through a connection prior to you looking If you use NAT then IPFW suffers a massive performance drop from having to send raw IP packets to NATD (kernel space to user space to kernel space), ipfnat is definitely the better choice in this case. I also prefer ipnats configuration scheme, I find that they're easier to organise if you have a lot of rules.

Finally with firewalls I'd always go for maturity and stability. The most problems I've come across with lately is Linux netfilter. It's a good design and has all the features and all, but you also get annoying immaturity bugs such as using its IP MASQUERADEing with UDP on a dialup, if you get disconnected and dial back up, and try to connect to the same UDP server again, netfilter would use the old dialup IP address as the source address and you'll have to do something drastic like unload the connection tracking module and **** up every other connection that's being tracked

IPF or IPFW ?

Comments