Date: Thu, 27 Jul 2000 11:47:37 -0400 From: Nick Evans <nevans@nextvenue.com> To: 'Siobhan Patricia Lynch' <trish@bsdunix.net> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org> Subject: RE: ipf or ipfw (was: log with dynamic firewall rules Message-ID: <712384017032D411AD7B0001023D799B07CA71@sn1exchmbx.nextvenue.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF7E1.FD070060 Content-Type: text/plain; charset="iso-8859-1" Yeah as far as I know, ipf does NOT work with bridging under FreeBSD, unfortunately. -----Original Message----- From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net] Sent: Thursday, July 27, 2000 11:51 AM To: Nick Evans Cc: 'freebsd-security@freebsd.org' Subject: RE: ipf or ipfw (was: log with dynamic firewall rules I'm not sure, never tried it, I *know* it works with OpenBSD which would be my choice if using ipf anyway. -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Thu, 27 Jul 2000, Nick Evans wrote: > It wouldn't work with ipf, period. IPF doesn't support bridging in FreeBSD > 4, no? or is your bridging in reference to something else? > > -----Original Message----- > From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net] > Sent: Thursday, July 27, 2000 11:31 AM > To: Darren Reed > Cc: Reinoud; Gerhard Sittig; freebsd-security@FreeBSD.ORG > Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) > > > I'm not saying that ipf is bad, in fact, prior to keep-state and > check-state in ipfw, I used ipf quite a bit. > > again, *some* people here know who I work for, but the networking going > into sites looks like this: > > cisco (non-stateful) -> freebsd bridging ipfw -> arrowpoint web content > switch -> clusters > > ipfw works quite well, but wouldn;t in this situation prior to freebsd 4.0 > > if theres something absolutely amazing in the next version if ipf that > makes my life hella better at work, I'll use it ;) > > as it is, I'm using OpenBSD/IPSec to tunnel and bridge packets from exodus > to the office (well not quite yet, but we have the go ahead on that > project) , which is irony, those who know who I am will agree ;) > > -Trish > > __ > > Trish Lynch > FreeBSD - The Power to Serve trish@bsdunix.net > Rush Networking trish@rush.net > > On Thu, 27 Jul 2000, Darren Reed wrote: > > > In some mail from Siobhan Patricia Lynch, sie said: > > > > > > I actually use ipfw for everything, I can;t see any real advantage to > > > ipfilter in a situation that we're using it for (some people know > > > where I work) > > > > > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > > > > > ipfw I can add rules on the fly. > > > > You can do that with ipfilter too. > > > > In fact, ipfilter allows you to make complete ruleset changes, on the > > fly with 0 security risk (i.e. there is no gap of "half your rules > > being in place"). > > > > Even at bootup, you can go from "no rules, default = block" to > > "full ruleset" and not have any packets slip between the cracks > > as various lines get added to allow/deny things. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------_=_NextPart_001_01BFF7E1.FD070060 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: ipf or ipfw (was: log with dynamic firewall rules</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Yeah as far as I know, ipf does NOT work with = bridging under FreeBSD, unfortunately.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Siobhan Patricia Lynch [<A = HREF=3D"mailto:trish@bsdunix.net">mailto:trish@bsdunix.net</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Thursday, July 27, 2000 11:51 AM</FONT> <BR><FONT SIZE=3D2>To: Nick Evans</FONT> <BR><FONT SIZE=3D2>Cc: 'freebsd-security@freebsd.org'</FONT> <BR><FONT SIZE=3D2>Subject: RE: ipf or ipfw (was: log with dynamic = firewall rules</FONT> </P> <BR> <P><FONT SIZE=3D2>I'm not sure, never tried it, I *know* it works with = OpenBSD which would</FONT> <BR><FONT SIZE=3D2>be my choice if using ipf anyway.</FONT> </P> <P><FONT SIZE=3D2>-Trish</FONT> </P> <P><FONT SIZE=3D2>__</FONT> </P> <P><FONT SIZE=3D2>Trish Lynch</FONT> <BR><FONT SIZE=3D2>FreeBSD - The Power to Serve = trish@bsdunix.net</FONT> <BR><FONT SIZE=3D2>Rush Networking = = = trish@rush.net</FONT> </P> <P><FONT SIZE=3D2>On Thu, 27 Jul 2000, Nick Evans wrote:</FONT> </P> <P><FONT SIZE=3D2>> It wouldn't work with ipf, period. IPF doesn't = support bridging in FreeBSD</FONT> <BR><FONT SIZE=3D2>> 4, no? or is your bridging in reference to = something else?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Siobhan Patricia Lynch [<A = HREF=3D"mailto:trish@bsdunix.net">mailto:trish@bsdunix.net</A>]</FONT> <BR><FONT SIZE=3D2>> Sent: Thursday, July 27, 2000 11:31 AM</FONT> <BR><FONT SIZE=3D2>> To: Darren Reed</FONT> <BR><FONT SIZE=3D2>> Cc: Reinoud; Gerhard Sittig; = freebsd-security@FreeBSD.ORG</FONT> <BR><FONT SIZE=3D2>> Subject: Re: ipf or ipfw (was: log with dynamic = firewall rules)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I'm not saying that ipf is bad, in fact, prior = to keep-state and</FONT> <BR><FONT SIZE=3D2>> check-state in ipfw, I used ipf quite a = bit.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> again, *some* people here know who I work for, = but the networking going</FONT> <BR><FONT SIZE=3D2>> into sites looks like this:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> cisco (non-stateful) -> freebsd bridging = ipfw -> arrowpoint web content</FONT> <BR><FONT SIZE=3D2>> switch -> clusters</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> ipfw works quite well, but wouldn;t in this = situation prior to freebsd 4.0</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> if theres something absolutely amazing in the = next version if ipf that</FONT> <BR><FONT SIZE=3D2>> makes my life hella better at work, I'll use it = ;)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> as it is, I'm using OpenBSD/IPSec to tunnel and = bridge packets from exodus</FONT> <BR><FONT SIZE=3D2>> to the office (well not quite yet, but we have = the go ahead on that</FONT> <BR><FONT SIZE=3D2>> project) , which is irony, those who know who I = am will agree ;)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> -Trish</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> __</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Trish Lynch</FONT> <BR><FONT SIZE=3D2>> FreeBSD - The Power to Serve = trish@bsdunix.net</FONT> <BR><FONT SIZE=3D2>> Rush = Networking = = = trish@rush.net</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> On Thu, 27 Jul 2000, Darren Reed wrote:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > In some mail from Siobhan Patricia Lynch, = sie said:</FONT> <BR><FONT SIZE=3D2>> > > </FONT> <BR><FONT SIZE=3D2>> > > I actually use ipfw for everything, I = can;t see any real advantage to</FONT> <BR><FONT SIZE=3D2>> > > ipfilter in a situation that we're = using it for (some people know</FONT> <BR><FONT SIZE=3D2>> > > where I work)</FONT> <BR><FONT SIZE=3D2>> > > </FONT> <BR><FONT SIZE=3D2>> > > ipfilter has to be flushed and = reloaded, I don;t have that luxury</FONT> <BR><FONT SIZE=3D2>> > > </FONT> <BR><FONT SIZE=3D2>> > > ipfw I can add rules on the = fly.</FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > You can do that with ipfilter too.</FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > In fact, ipfilter allows you to make = complete ruleset changes, on the</FONT> <BR><FONT SIZE=3D2>> > fly with 0 security risk (i.e. there is no = gap of "half your rules</FONT> <BR><FONT SIZE=3D2>> > being in place").</FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > Even at bootup, you can go from "no = rules, default =3D block" to</FONT> <BR><FONT SIZE=3D2>> > "full ruleset" and not have any = packets slip between the cracks</FONT> <BR><FONT SIZE=3D2>> > as various lines get added to allow/deny = things.</FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > To Unsubscribe: send mail to = majordomo@FreeBSD.org</FONT> <BR><FONT SIZE=3D2>> > with "unsubscribe = freebsd-security" in the body of the message</FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> To Unsubscribe: send mail to = majordomo@FreeBSD.org</FONT> <BR><FONT SIZE=3D2>> with "unsubscribe freebsd-security" = in the body of the message</FONT> <BR><FONT SIZE=3D2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF7E1.FD070060-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?712384017032D411AD7B0001023D799B07CA71>