RE: ipf or ipfw (was: log with dynamic firewall rules)

From owner-freebsd-security Thu Jul 27 8:48:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from sn1oexchr01.nextvenue.com (sn1oexchr01.nextvenue.com [63.209.169.9]) by hub.freebsd.org (Postfix) with SMTP id DE85837B857 for ; Thu, 27 Jul 2000 08:48:16 -0700 (PDT) (envelope-from nevans@nextvenue.com) Received: FROM sn1exchmbx.nextvenue.com BY sn1oexchr01.nextvenue.com ; Thu Jul 27 11:46:23 2000 -0400 Received: by sn1exchmbx.nextvenue.com with Internet Mail Service (5.5.2650.21) id ; Thu, 27 Jul 2000 11:43:45 -0400 Message-ID: <712384017032D411AD7B0001023D799B07CA70@sn1exchmbx.nextvenue.com> From: Nick Evans To: 'Siobhan Patricia Lynch' Cc: "'freebsd-security@freebsd.org'" Subject: RE: ipf or ipfw (was: log with dynamic firewall rules) Date: Thu, 27 Jul 2000 11:43:37 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF7E1.6E2983E0" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF7E1.6E2983E0 Content-Type: text/plain; charset="iso-8859-1" It wouldn't work with ipf, period. IPF doesn't support bridging in FreeBSD 4, no? or is your bridging in reference to something else? -----Original Message----- From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net] Sent: Thursday, July 27, 2000 11:31 AM To: Darren Reed Cc: Reinoud; Gerhard Sittig; freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) I'm not saying that ipf is bad, in fact, prior to keep-state and check-state in ipfw, I used ipf quite a bit. again, *some* people here know who I work for, but the networking going into sites looks like this: cisco (non-stateful) -> freebsd bridging ipfw -> arrowpoint web content switch -> clusters ipfw works quite well, but wouldn;t in this situation prior to freebsd 4.0 if theres something absolutely amazing in the next version if ipf that makes my life hella better at work, I'll use it ;) as it is, I'm using OpenBSD/IPSec to tunnel and bridge packets from exodus to the office (well not quite yet, but we have the go ahead on that project) , which is irony, those who know who I am will agree ;) -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Thu, 27 Jul 2000, Darren Reed wrote: > In some mail from Siobhan Patricia Lynch, sie said: > > > > I actually use ipfw for everything, I can;t see any real advantage to > > ipfilter in a situation that we're using it for (some people know > > where I work) > > > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > > > ipfw I can add rules on the fly. > > You can do that with ipfilter too. > > In fact, ipfilter allows you to make complete ruleset changes, on the > fly with 0 security risk (i.e. there is no gap of "half your rules > being in place"). > > Even at bootup, you can go from "no rules, default = block" to > "full ruleset" and not have any packets slip between the cracks > as various lines get added to allow/deny things. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_001_01BFF7E1.6E2983E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: ipf or ipfw (was: log with dynamic firewall rules)

It wouldn't work with ipf, period. IPF doesn't = support bridging in FreeBSD 4, no? or is your bridging in reference to = something else?

-----Original Message-----
From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net]
Sent: Thursday, July 27, 2000 11:31 AM
To: Darren Reed
Cc: Reinoud; Gerhard Sittig; = freebsd-security@FreeBSD.ORG
Subject: Re: ipf or ipfw (was: log with dynamic = firewall rules)

I'm not saying that ipf is bad, in fact, prior to = keep-state and
check-state in ipfw, I used ipf quite a bit.

again, *some* people here know who I work for, but = the networking going
into sites looks like this:

cisco (non-stateful) -> freebsd bridging ipfw = -> arrowpoint web content
switch -> clusters

ipfw works quite well, but wouldn;t in this situation = prior to freebsd 4.0

if theres something absolutely amazing in the next = version if ipf that
makes my life hella better at work, I'll use it = ;)

as it is, I'm using OpenBSD/IPSec to tunnel and = bridge packets from exodus
to the office (well not quite yet, but we have the = go ahead on that
project) , which is irony, those who know who I am = will agree ;)

-Trish

Trish Lynch
FreeBSD - The Power to Serve = trish@bsdunix.net
Rush Networking = = = trish@rush.net

On Thu, 27 Jul 2000, Darren Reed wrote:

> In some mail from Siobhan Patricia Lynch, sie = said:
> >
> > I actually use ipfw for everything, I = can;t see any real advantage to
> > ipfilter in a situation that we're using = it for (some people know
> > where I work)
> >
> > ipfilter has to be flushed and reloaded, I = don;t have that luxury
> >
> > ipfw I can add rules on the fly.
>
> You can do that with ipfilter too.
>
> In fact, ipfilter allows you to make complete = ruleset changes, on the
> fly with 0 security risk (i.e. there is no gap = of "half your rules
> being in place").
>
> Even at bootup, you can go from "no rules, = default =3D block" to
> "full ruleset" and not have any = packets slip between the cracks
> as various lines get added to allow/deny = things.
>
>
>
> To Unsubscribe: send mail to = majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" = in the body of the message
>

To Unsubscribe: send mail to = majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the = body of the message

------_=_NextPart_001_01BFF7E1.6E2983E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message