From owner-freebsd-security Thu Jul 27 8:31:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 74C7937B947 for ; Thu, 27 Jul 2000 08:31:19 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id LAA01411; Thu, 27 Jul 2000 11:30:31 -0400 (EDT) Date: Thu, 27 Jul 2000 11:30:31 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Darren Reed Cc: Reinoud , Gerhard Sittig , freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: <200007270735.RAA18535@cairo.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not saying that ipf is bad, in fact, prior to keep-state and check-state in ipfw, I used ipf quite a bit. again, *some* people here know who I work for, but the networking going into sites looks like this: cisco (non-stateful) -> freebsd bridging ipfw -> arrowpoint web content switch -> clusters ipfw works quite well, but wouldn;t in this situation prior to freebsd 4.0 if theres something absolutely amazing in the next version if ipf that makes my life hella better at work, I'll use it ;) as it is, I'm using OpenBSD/IPSec to tunnel and bridge packets from exodus to the office (well not quite yet, but we have the go ahead on that project) , which is irony, those who know who I am will agree ;) -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Thu, 27 Jul 2000, Darren Reed wrote: > In some mail from Siobhan Patricia Lynch, sie said: > > > > I actually use ipfw for everything, I can;t see any real advantage to > > ipfilter in a situation that we're using it for (some people know > > where I work) > > > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > > > ipfw I can add rules on the fly. > > You can do that with ipfilter too. > > In fact, ipfilter allows you to make complete ruleset changes, on the > fly with 0 security risk (i.e. there is no gap of "half your rules > being in place"). > > Even at bootup, you can go from "no rules, default = block" to > "full ruleset" and not have any packets slip between the cracks > as various lines get added to allow/deny things. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message