[nycbug-talk] ipfw, ipf, pf comparison matrix

Sat Sep 9 19:21:51 EDT 2006

Okay, so I'm into firewalls and incomplete charts bug me...

Here's a start at a table that only compares ipfw and pf. Functionality 
has been alphabetized. Comparisons were interesting as similar 
functionality was described using different terminology in the 
documentation for the two firewalls.

I haven't had a need to make firewall rules that included the IP fields
with ipfw keywords (man ipfw) and would appreciate anyone confirming if pf 
also allows you to refer to those fields and how to do so.

I'd also like feedback on further functionality that should be added to 
the chart and a reference proving that a missing * is indeed possible in 
that firewall.

Have fun :-)

Dru

---

Feature			ipfw	pf
----------------------------------
ADDRESS POOLS		*	*
ALTQ			*	*
ANCHORS/RULESETS	*	*
ANTISPOOF		*	*
AUTHPF				*
CARP				*
DUMMYNET		*
DYNAMIC NAT		*	*
FLUSH				*
FTP PROXY			*
GROUP			*	*
ICMP STATE			*
ICMP/6 CODES			*
ICMP/6 TYPES		*	*
INCOMING LOAD BALANCING	*	*
IP OPTIONS		*	*
IP TOS			5	ALL
IPSec			*	*
IPv6			*	*
JAIL			*	NOT YET?
LABELS				*
LISTS			*	*
MAC FILTERING		*	*
MAC-TYPE		*
MACROS			*	*
MAX #				*
MAX-SRC-CONN-RATE		*
MAX-SRC-CONN/LIMIT SRC	*	*
MAX-SRC-NODES			*
MAX-SRC-STATES			*
OPTIMIZATION			*
OSFP				*
OUTGOING LOAD BALANCING		*
OVERLOAD			*
PFSYNC				*
PORT FORWARDING		*	*
PROBABILITY		*	*
PROTOCOL ID		*	*
PROXY FORWARDING	*	*
QUICK				*
SCRUB/FRAG		*	*
SCRUB/MIN-TTL		*	*
SCRUB/MSS		*	*
SCRUB/NO-DF			*
SCRUB/RANDOM-ID			*
SCRUB/REASSEMBLE	*	*
SCRUB/RFC1323		*	*
SOURCE-TRACK			*
STATE MODULATION		*
STATIC NAT		*	*
SYNPROXY			*
TABLES (IPv4)		*	*
TABLES (IPv6)			*
TAGGING				*
TCP FLAGS		*	*
TCP STATE		*	*
UDP STATE		*	*
USER			*	*
VERREVPATH/URPF		*	*
VERSRCREACH/ROUTING	*	*