Aaron, btw, after having had it suggested to move this thread to darwin-development, i did so last eve .... i won't presume to re-post your reply there, please do so if *you* like ... I've run across a small comparison between ipfilter+ipnat and ipfw+natd in the introduction section of this page: http://neon1.net/misc/firewall.html It seems a bit dated since it says pf doesn't have traffic shaping (altq support in pf (along with a slew of othe rneat features) has since been added). I haven't found anything comparing pf and ipfw2. actually a nice overview, hadn't found this one yet myself ... I'd like to see pf support myself, I use OpenBSD on a couple gateways and the ruleset syntax is very natural. Both altq and nat are integrated well into the ruleset. I have some kernel programming experience, though probably not the level of expertise for a project like this. Regards, Aaron PS- One of those neat little features of pf is the passive OS fingerprinting: block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \ to any port smtp that would be a nice addition to the available Darwin toolkit! thanks, richard On Mon, 24 Nov 2003, OpenMacNews wrote: ok, having done some reading re: pf/ipf, i've got to say that -- altho still a bit foreign -- it definitely seems to be well-featured, and as ipfw2, would be a not insignificant improvement over Darwin's current ipfw. as you, i have to compare ipfw2 & pf in greater depth to 'choose' between the two ... ANYONE OUT THERE HAVE ANY URLs FOR A GOOD/THOROUGH COMPARISONS OF IPFW/IPFW2/PF/IPF? either way, i agree that ipfw is getting 'long in the tooth' ... and would add my voice to suggesting that a discussion here be opened/started here on the matter. it seems to be the right forum ... i'll be happy to contribute what i can as a user, but as a kernel-developer, i'm in over my head :-S cheers, richard _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored.