Free Packet Filters

My feable attempt to catalog which free packet filtering systems come with which free operating systems.

The URL for this document is http://whatexit.org/tal/mywritings/freefilters.html. If you have updates send them via email to tom@limoncelli.org.

Name Command OS Notes

IP Filter ipf included with FreeBSD 3.x, 4.x, NetBSD 1.3 to present, OpenBSD 2.x (NOT 3.x), ported to Solaris, IRIX 6.2, HP-UX 11 and many other Unixes very complete featureset including stateful inspection that goes beyond what most systems do (for example: special ICMP handling for TCP connections).

IP Firewall ipfw included with FreeBSD 4.x very complete featureset especially rate-controls (traffic shaping) and redirection, and the ability for certain UIDs to have their own rules (User "foo" can't use telnet... bwahahahaha). However stateful inspection is fairly basic.
(Not to be confused with Linux's "ipfw" command)
(Technically ipfw is the interface to FreeBSD's dummynet(4) traffic shaper. The NAT is userlevel, unlike IP Filter which does it in kernel)
FreeBSD has IP Firewall as well as IP Filter because people wanted IPFilter but IP Firewall has a longer established history.

IP Firewall ipfw included with BSD/OS COMPLETELY UNRELATED TO the FreeBSD ipfw. Some consider this to be, by far, the best firewall package.

ipfw ipfw Linux pre-2.0 kernel

ipfwadm ipfwadm Linux kernel 2.0

ipchains ipchains Linux kernel 2.2

"netfilter"
aka "IP Tables" iptables
(with commands called "ipfwadm" and "ipchains" for backwards compatibility) Linux kernel 2.4.0 While developing IP Firewall Chains, Paul Russell decided to create an entirely new framework called "netfilter".

pf OpenBSD 3.x This is a OpenBSD packet filter. It sports features including bidirectional NAT support, traffic normalization, uid-based rules, user-level FTP application proxy, IPv6 support, logging of blocked packets to a dummy interface for debugging.

Name	Command	OS	Notes
IP Filter	ipf	included with FreeBSD 3.x, 4.x, NetBSD 1.3 to present, OpenBSD 2.x (NOT 3.x), ported to Solaris, IRIX 6.2, HP-UX 11 and many other Unixes	very complete featureset including stateful inspection that goes beyond what most systems do (for example: special ICMP handling for TCP connections).
IP Firewall	ipfw	included with FreeBSD 4.x	very complete featureset especially rate-controls (traffic shaping) and redirection, and the ability for certain UIDs to have their own rules (User "foo" can't use telnet... bwahahahaha). However stateful inspection is fairly basic. (Not to be confused with Linux's "ipfw" command) (Technically ipfw is the interface to FreeBSD's dummynet(4) traffic shaper. The NAT is userlevel, unlike IP Filter which does it in kernel) FreeBSD has IP Firewall as well as IP Filter because people wanted IPFilter but IP Firewall has a longer established history.
IP Firewall	ipfw	included with BSD/OS	COMPLETELY UNRELATED TO the FreeBSD ipfw. Some consider this to be, by far, the best firewall package.
ipfw	ipfw	Linux pre-2.0 kernel
ipfwadm	ipfwadm	Linux kernel 2.0
ipchains	ipchains	Linux kernel 2.2
"netfilter" aka "IP Tables"	iptables (with commands called "ipfwadm" and "ipchains" for backwards compatibility)	Linux kernel 2.4.0	While developing IP Firewall Chains, Paul Russell decided to create an entirely new framework called "netfilter".
pf		OpenBSD 3.x	This is a OpenBSD packet filter. It sports features including bidirectional NAT support, traffic normalization, uid-based rules, user-level FTP application proxy, IPv6 support, logging of blocked packets to a dummy interface for debugging.

SunScreen 3.1(Lite) Solaris 8 Version 3.1(Lite) came with Solaris8, 3.2 or possiblye 3.2(lite) will be bundled with Solaris9.