What are the main differences between portfw and mfw in ipmasqadm. For example Marc prefers mfw in the SuSEfirewall script but on the other hand I have seen scripts were portfw is used only. The only thing I saw was im portfw you need the specify the protoc also tcp / udp.

I'd like to know more about this as well, when I had to allow tunnelling through a firewall, I used mfw, mainly because the HOWTO hinted it was superior, but I didn't think it was obvious why, maybe it was faster, more secure, or simply cleaner. One possibility is, that as you mark a connection for mfw on an initial connection with -y, then this is more restrictive than the portfw alternative. Apparently it is possible to iniate malformed connections, without the first packet having SYN set, which is one reason for iptables featured, being more secure (hopefully) than ipchains style packet filtering and blocking of 'incoming' connections with -y. In the case of malformed packets, portfw is likely to pass the packets on, whereas they shouldn't have the connection being marked for a mfw, so should fail to match a ruleset. When a thread discussed this on debian-firewalls list, noone posted any hard info on this, so it'll be interesting to see if this list knows better :) Rob