Date: Sun, 13 Mar 2005 00:16:59 -0800 From: "Loren M. Lang" <lorenl@alzatex.com> To: Albert Shih <shih@math.jussieu.fr> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw or pf Message-ID: <20050313081659.GA18080@alzatex.com> In-Reply-To: <20050304124123.GA12225@math.jussieu.fr> References: <20050301224201.GC7469@math.jussieu.fr> <20050302090009.R23556@mail.rot-1.de> <20050302115706.GL15179@math.jussieu.fr> <20050303210753.GM30896@alzatex.com> <20050304124123.GA12225@math.jussieu.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
--5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 04, 2005 at 01:41:23PM +0100, Albert Shih wrote: > Le 03/03/2005 ? 13:07:53-0800, Loren M. Lang a ?crit > > > Well it's not de syntaxes, I always use packet filter system (sometim= e on > > > hardware like Foundry/Cisco) where the rule is : First match first us= e. And > > > the pf use entire rules is very strange for me (I known I can use ?qu= ick? > > > but....well it's not the philosophy I think). > >=20 > > I like first match better too, but I think pf is sufficiently better > > that I just use it with quick over ipfw. > >=20 >=20 > Better on what ? More security features like srubbing packets. This can look for errors like bad tcp flag combinations that some port scanners might use. Also, it is just more flexible by using tables for matches that can even be updated dynamically. ipf and ipfw would require a completely new rule to change the firewall. Tables can be used to, say, keep track of a blacklist of ip address like the ones that keep trying to log into ssh accounts on my server that don't exists. pf also has built-in passive os fingerprinting if you think that might be useful. Read through the pf faq on openbsd.org. >=20 > I really like to known. And my question is not a troll or something like > that. >=20 > Regards >=20 >=20 > -- > Albert SHIH > Universite de Paris 7 (Denis DIDEROT) > U.F.R. de Mathematiques. > Heure local/Local time: > Fri Mar 4 13:40:29 CET 2005 --=20 I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: CEE1 AAE2 F66C 59B5 34CA C415 6D35 E847 0118 A3D2 =20 --5mCyUwZo2JvN/JJP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCM/b7bTXoRwEYo9IRAmIbAJwI4JQQR8KcC8xMYke4npcW/ZLRvgCeJaA4 1HgUMNWcdwE4J2QFiC976ag= =VfUa -----END PGP SIGNATURE----- --5mCyUwZo2JvN/JJP--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050313081659.GA18080>