From owner-freebsd-hackers Wed Aug 14 10:58:26 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA17789 for hackers-outgoing; Wed, 14 Aug 1996 10:58:26 -0700 (PDT) Received: from post.vale.com (post.vale.com [204.117.217.66]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA17783 for ; Wed, 14 Aug 1996 10:58:23 -0700 (PDT) Received: from jaguar.vale.com by post.vale.com id aa06200; 14 Aug 96 12:57 CDT Received: by jaguar.vale.com with Microsoft Mail id <01BB89E1.3762F660@jaguar.vale.com>; Wed, 14 Aug 1996 13:05:07 -0500 Message-ID: <01BB89E1.3762F660@jaguar.vale.com> From: Hal Snyder To: "hackers@FreeBSD.ORG" Subject: ipfw considered harmful (not?) Date: Wed, 14 Aug 1996 13:05:06 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I've used ipfw in past with very satisfactory results, protecting small corporation from the Internet. Don't know ipfilter for comparison. What made ipfw bearable was an rc.ipfw script, beginning with environmental variables for major addresses, and the line ipfw flush as the first real ipfw command. I don't think it would be too hard to graft an HTML/CGI front-end onto ipfw (anyone seen Checkpoint?). Does ipfilter do this? On the downside - I found the code for ipfw to be unreadable, mainly due to lack of comments in key areas. That always makes me suspicious the writer started with "int i;" rather than a design for the code. [Nothing personal against the original author - just that I spent over a decade reading student programming efforts and eventually lost all patience with puzzling over needlessly undocumented code.]