Date: Sun, 13 Mar 2005 10:34:18 +0100 From: Mark Rowlands <mark.rowlands@mypost.se> To: freebsd-questions@freebsd.org Cc: Albert Shih <shih@math.jussieu.fr> Subject: Re: ipfw or pf Message-ID: <200503131034.25240.mark.rowlands@mypost.se> In-Reply-To: <20050313081659.GA18080@alzatex.com> References: <20050301224201.GC7469@math.jussieu.fr> <20050304124123.GA12225@math.jussieu.fr> <20050313081659.GA18080@alzatex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 13 March 2005 09:16, Loren M. Lang wrote:
> On Fri, Mar 04, 2005 at 01:41:23PM +0100, Albert Shih wrote:
> > Le 03/03/2005 ? 13:07:53-0800, Loren M. Lang a ?crit
> >
> > > > Well it's not de syntaxes, I always use packet filter system
> > > > (sometime on hardware like Foundry/Cisco) where the rule is : First
> > > > match first use. And the pf use entire rules is very strange for me
> > > > (I known I can use ?quick? but....well it's not the philosophy I
> > > > think).
> > >
> > > I like first match better too, but I think pf is sufficiently better
> > > that I just use it with quick over ipfw.
> >
> > Better on what ?
>
> More security features like srubbing packets. This can look for errors
> like bad tcp flag combinations that some port scanners might use. Also,
> it is just more flexible by using tables for matches that can even be
> updated dynamically. ipf and ipfw would require a completely new rule
> to change the firewall. Tables can be used to, say, keep track of a
> blacklist of ip address like the ones that keep trying to log into ssh
> accounts on my server that don't exist
man ipfw
ipfw table number add addr[/masklen] [value]
ipfw table number delete addr[/masklen]
ipfw table number flush
ipfw table number list
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200503131034.25240.mark.rowlands>