From owner-freebsd-security Thu Jul 27 8:51: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 48B8137B9CB for ; Thu, 27 Jul 2000 08:50:52 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id LAA22456; Thu, 27 Jul 2000 11:50:46 -0400 (EDT) Date: Thu, 27 Jul 2000 11:50:46 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Nick Evans Cc: "'freebsd-security@freebsd.org'" Subject: RE: ipf or ipfw (was: log with dynamic firewall rules In-Reply-To: <712384017032D411AD7B0001023D799B07CA70@sn1exchmbx.nextvenue.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not sure, never tried it, I *know* it works with OpenBSD which would be my choice if using ipf anyway. -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Thu, 27 Jul 2000, Nick Evans wrote: > It wouldn't work with ipf, period. IPF doesn't support bridging in FreeBSD > 4, no? or is your bridging in reference to something else? > > -----Original Message----- > From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net] > Sent: Thursday, July 27, 2000 11:31 AM > To: Darren Reed > Cc: Reinoud; Gerhard Sittig; freebsd-security@FreeBSD.ORG > Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) > > > I'm not saying that ipf is bad, in fact, prior to keep-state and > check-state in ipfw, I used ipf quite a bit. > > again, *some* people here know who I work for, but the networking going > into sites looks like this: > > cisco (non-stateful) -> freebsd bridging ipfw -> arrowpoint web content > switch -> clusters > > ipfw works quite well, but wouldn;t in this situation prior to freebsd 4.0 > > if theres something absolutely amazing in the next version if ipf that > makes my life hella better at work, I'll use it ;) > > as it is, I'm using OpenBSD/IPSec to tunnel and bridge packets from exodus > to the office (well not quite yet, but we have the go ahead on that > project) , which is irony, those who know who I am will agree ;) > > -Trish > > __ > > Trish Lynch > FreeBSD - The Power to Serve trish@bsdunix.net > Rush Networking trish@rush.net > > On Thu, 27 Jul 2000, Darren Reed wrote: > > > In some mail from Siobhan Patricia Lynch, sie said: > > > > > > I actually use ipfw for everything, I can;t see any real advantage to > > > ipfilter in a situation that we're using it for (some people know > > > where I work) > > > > > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > > > > > ipfw I can add rules on the fly. > > > > You can do that with ipfilter too. > > > > In fact, ipfilter allows you to make complete ruleset changes, on the > > fly with 0 security risk (i.e. there is no gap of "half your rules > > being in place"). > > > > Even at bootup, you can go from "no rules, default = block" to > > "full ruleset" and not have any packets slip between the cracks > > as various lines get added to allow/deny things. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message