Date: Thu, 27 Jul 2000 11:30:31 -0400 (EDT) From: Siobhan Patricia Lynch <trish@bsdunix.net> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: Reinoud <Reinoud.Koornstra@ibb.net>, Gerhard Sittig <Gerhard.Sittig@gmx.net>, freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) Message-ID: <Pine.BSO.4.21.0007271126020.3504-100000@superconductor.rush.net> In-Reply-To: <200007270735.RAA18535@cairo.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm not saying that ipf is bad, in fact, prior to keep-state and check-state in ipfw, I used ipf quite a bit. again, *some* people here know who I work for, but the networking going into sites looks like this: cisco (non-stateful) -> freebsd bridging ipfw -> arrowpoint web content switch -> clusters ipfw works quite well, but wouldn;t in this situation prior to freebsd 4.0 if theres something absolutely amazing in the next version if ipf that makes my life hella better at work, I'll use it ;) as it is, I'm using OpenBSD/IPSec to tunnel and bridge packets from exodus to the office (well not quite yet, but we have the go ahead on that project) , which is irony, those who know who I am will agree ;) -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Thu, 27 Jul 2000, Darren Reed wrote: > In some mail from Siobhan Patricia Lynch, sie said: > > > > I actually use ipfw for everything, I can;t see any real advantage to > > ipfilter in a situation that we're using it for (some people know > > where I work) > > > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > > > ipfw I can add rules on the fly. > > You can do that with ipfilter too. > > In fact, ipfilter allows you to make complete ruleset changes, on the > fly with 0 security risk (i.e. there is no gap of "half your rules > being in place"). > > Even at bootup, you can go from "no rules, default = block" to > "full ruleset" and not have any packets slip between the cracks > as various lines get added to allow/deny things. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.21.0007271126020.3504-100000>