The URL for this document is http://whatexit.org/tal/mywritings/freefilters.html. If you have updates send them via email to email@example.com.
Linux: Packet filtering and firewalling has a long history in Linux. The first filtering mechanism, called "ipfwadm," was released in 1995 for the 1.2.1 kernel. This code was used until the 2.2.0 stable release (January, 1999), when the new "ipchains" module took over. While ipchains was useful, it only lasted until 2.4.0 (January, 2001), when it, too, was replaced by iptables/netfilter, which remains in the kernel now. (2013-10)
|ipf||included with FreeBSD 3.x, 4.x, NetBSD 1.3 to present, OpenBSD 2.x (NOT 3.x), ported to Solaris, IRIX 6.2, HP-UX 11 and many other Unixes||very complete featureset including stateful inspection that goes
beyond what most systems do (for example: special ICMP handling for TCP connections).
|ipfw||included with FreeBSD 4.x||very complete featureset especially rate-controls (traffic
shaping) and redirection, and the ability for certain UIDs to have
their own rules (User "foo" can't use telnet... bwahahahaha). However stateful inspection is fairly basic.
(Not to be confused with Linux's "ipfw" command)
(Technically ipfw is the interface to FreeBSD's dummynet(4) traffic shaper. The NAT is userlevel, unlike IP Filter which does it in kernel)
FreeBSD has IP Firewall as well as IP Filter because people wanted IPFilter but IP Firewall has a longer established history.
|ipfw||included with BSD/OS||COMPLETELY UNRELATED TO the FreeBSD ipfw. Some consider this to be, by far, the best firewall package.|
|ipfw||Linux pre-2.0 kernel|
|ipfwadm||Linux kernel 2.0|
|ipchains||Linux kernel 2.2|
aka "IP Tables"
(with commands called "ipfwadm" and "ipchains" for backwards compatibility)
|Linux kernel 2.4.0||While developing IP Firewall Chains, Paul Russell decided to create an entirely new framework called "netfilter".|
|OpenBSD 3.x||This is a OpenBSD packet filter. It sports features including bidirectional NAT support, traffic normalization, uid-based rules, user-level FTP application proxy, IPv6 support, logging of blocked packets to a dummy interface for debugging.|