What is the diference between ipfw of *bsd and netfilter of linux?

What is the diference between ipfw of *bsd and netfilter of linux?

[Carlos Mario Mora (c4y0)]

hi!

im looking for the diference between ipfw and iptables.   Many people
say to ipfw is more secure of iptables, but they cant explain why that.

How can i found some documentation to create a document to explain thats
diferences?

Thanks for your help.

RE: What is the diference between ipfw of *bsd and netfilter of linux?

[Daniel Chemko]

Carlos Mario Mora (c4y0) wrote:
> hi!
> 
> im looking for the diference between ipfw and iptables.   Many people
> say to ipfw is more secure of iptables, but they cant explain why
> that. 
> 
> How can i found some documentation to create a document to explain
> thats diferences?
> 
> Thanks for your help.

When a person says that one firewall is inherently less secure than
another is missing the whole point. YOU make firewalls secure, not the
tools. 'Easy' tools (hw fw's, zonealarm, etc..) make it hard to make bad
decisions but are hard to make special, and optimized solutions. Complex
solutions (cisco,ipfw,netfilter) make it inanely easy to miss-configure
the system, but they allow for specialized and optimal solutions.

Now, on to the question (general notes):

1. ipf is faster than netfilter at a given the task.
2. ipf and netfilter firewall security should be equal. You define it
and they're on the same complexity level, so equal
3. The xBSD kernel may have fewer network flaws than Linux, I'm not sure
but I can imagine so. All in all, this is rare in either case on
dedicated firewall hosts.
4. Netfilter has many extensions that solves niche problems that aren't
possible on xBSD platforms.

Re: What is the diference between ipfw of *bsd and netfilter of linux?

[Aleksandar Milivojevic]

Carlos Mario Mora (c4y0) wrote:
> hi!
> 
> im looking for the diference between ipfw and iptables.   Many people
> say to ipfw is more secure of iptables, but they cant explain why that.

If ipfw is what I think it is, than only difference is better connection 
tracking (it tracks TCP window numbers).  However, Netfilter got that 
suppor recently as well (as a patch), and it seems that it will be 
standard part of Linux kernel as of 2.6.9 (at least by looking into the 
ChangeLog, I might be wrong).

Other than that, I don't see why would one be more secure than another. 
  So I'd say they are becoming about the same as security goes.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: What is the diference between ipfw of *bsd and netfilter of linux?

[Jose Maria Lopez]

El lun, 04 de 10 de 2004 a las 22:06, Carlos Mario Mora (c4y0) escribió:
> hi!
> 
> im looking for the diference between ipfw and iptables.   Many people
> say to ipfw is more secure of iptables, but they cant explain why that.
> 
> How can i found some documentation to create a document to explain thats
> diferences?
> 
> Thanks for your help.

I find netfilter superior in terms of capabilities, it has
more extensions and it's technically superior to ipfw. It
let you do things that you can't do with ipfw. But it's
just an opinion, xBSD supporters would surely say otherwise.
My advice: Try both and use the one that suits you better. You
probably can look into other matters, as the routing
capabilities of both systems.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: What is the diference between ipfw of *bsd and netfilter of linux?

[Damjan]

> > im looking for the diference between ipfw and iptables.   Many people
> > say to ipfw is more secure of iptables, but they cant explain why that.
> > 
> > How can i found some documentation to create a document to explain thats
> > diferences?

> I find netfilter superior in terms of capabilities, it has
> more extensions and it's technically superior to ipfw. It
> let you do things that you can't do with ipfw. But it's
> just an opinion, xBSD supporters would surely say otherwise.
> My advice: Try both and use the one that suits you better. You
> probably can look into other matters, as the routing
> capabilities of both systems.

However I agree with you that netfilter is easier to use and has more
capabilities, I still can't beleive that netfilter (iptables actually)
doesn't have a way to identify rules uniquely (via an ID). So simple
feaure, so powerfull, and still iptables doesn't have this.

And no, linenumbers don't identify rules uniquely, they can change at
any moment.



-- 
damjan | дамјан
This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!

Re: What is the diference between ipfw of *bsd and netfilter of linux?

[Jason Opperisano]

On Tue, 2004-10-05 at 13:23, Damjan wrote:
> However I agree with you that netfilter is easier to use and has more
> capabilities, I still can't beleive that netfilter (iptables actually)
> doesn't have a way to identify rules uniquely (via an ID). So simple
> feaure, so powerfull, and still iptables doesn't have this.
> 
> And no, linenumbers don't identify rules uniquely, they can change at
> any moment.

check out the comment patch from POM.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: What is the diference between ipfw of *bsd and netfilter of linux?

[Steven M Campbell]

Jason Opperisano wrote:

>On Tue, 2004-10-05 at 13:23, Damjan wrote:
>  
>
>>However I agree with you that netfilter is easier to use and has more
>>capabilities, I still can't beleive that netfilter (iptables actually)
>>doesn't have a way to identify rules uniquely (via an ID). So simple
>>feaure, so powerfull, and still iptables doesn't have this.
>>
>>And no, linenumbers don't identify rules uniquely, they can change at
>>any moment.
>>    
>>
>
>check out the comment patch from POM.
>
>-j
>
>  
>
I feel obliged to add that wrongly configured proxy-arp devices can 
bring havoc onto a network.  I get a few cases a year where some network 
devices had proxy-arp left on (we typically disable it on most devices) 
and a routing error was made, the result in many devices is that the 
device will start answering for ip addresses it has no actually ability 
to communicate with thereby effectively knocking that device off the 
net.   Just a warning that it can be nasty.

Re: What is the diference between ipfw of *bsd and netfilter of linux?

[Damjan]

> > However I agree with you that netfilter is easier to use and has more
> > capabilities, I still can't beleive that netfilter (iptables actually)
> > doesn't have a way to identify rules uniquely (via an ID). So simple
> > feaure, so powerfull, and still iptables doesn't have this.
> > 
> > And no, linenumbers don't identify rules uniquely, they can change at
> > any moment.
> 
> check out the comment patch from POM.

Ohh, and its in kernel-2.6.9 by default... I'm happy again.


-- 
damjan | дамјан
This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!