In message <20010110144057.H2104@wasabisystems.com>, Luke Mewburn writes:
>NetBSD already has an IP firewall product; it's called `ipfilter'.
>It also does NAT.

Yup.

>I'm curious; what does BSD/OS' ipfw do that ipfilter doesn't?

I'm still working on my paper.  I'm not sure there's any thing you *can't*
do with ipfilter, but ipfw provides a fairly nice interface.  It provides
a language with nested conditionals, and a fair amount of flexibility.
You can do rate limiting of various sorts, you can filter packets at any
of a number of points (on their way into the interface, as they come into
the machine's side of the network interface, before forwarding, after
forwarding, while sending out, right before they hit the output interface),
you can log things, you can rewrite them (up to a point), and so on.

The language is fairly flexible, and it's fairly efficient.

I haven't looked at ipfilter recently, but I seem to recall a lot more
work being necessary in it than is necessary in BSD/OS's ipfw.

(Which, BTW, is *totally* unrelated to FreeBSD's.  They got named the same
by people working independantly.)

Some of it is just convenience stuff, like the ability to just say
	ipfwnat -i ppp0
and have a functional NAT working.  I am told the performance is better
than most similar tweaks, because fewer rules need to actually be evaluated
on most packets, due to the nesting.

There will be an article on it in Daemon News, but I don't have an ETA; I have
to finish stripping "internal only" stuff and flesh out the real content quite
a bit, and I've been busy.

-s