Date: Sun, 23 Jun 1996 02:05:13 +0300 (EET DST) From: "Andrew V. Stesin" <stesin@elvisti.kiev.ua> To: avalon@coombs.anu.edu.au (Darren Reed) Cc: taob@io.org, freebsd-security@FreeBSD.org Subject: Re: IPFW vs. IP Filter? Message-ID: <199606222305.CAA15185@office.elvisti.kiev.ua> In-Reply-To: <199606221722.KAA20217@freefall.freebsd.org> from "Darren Reed" at Jun 23, 96 03:21:53 am
next in thread | previous in thread | raw e-mail | index | archive | help
# # In some mail from Brian Tao, sie said: # > # > BTW, this is in the ipfw man page: # > # > | There is one kind of packet that the firewall will always discard, that # > | is an IP fragment with a fragment offset of one. This is a valid packet, # > | but it only has one use, to try to circumvent firewalls. # > # > I assume ipfilter does this as well? # # Not automatically, but you can tell it to do so. # # In the author's mind, there might be occasions where you don't want to # discard those packets although you probably want to know they existed. # # Darren # Hello people, as for me, I'm happy with IPfilter so far and observed only two noticeable problems yet: 1. Sending TCP RST in reply to unsolicited TCP SYN didn't work. That was solved, thanks Darren, but I'm not 100% sure that this patch is included in 3.0.4 distribution. 2. With "in-kernel" version, "log body" doesn't work for me; I discovered the fact too late, when fighting with crashes of our firewall. Disabling all "log body" clauses in filtering rules cured that mysterious crashes, too, firewall is working for weeks just now, as I see. Now when I'm just 90% sure I found the source of trouble, which tortured me for weeks, probably it's time to go check where exactly it lives. Building IPfilter. Generally the instructions worked for me; I did minor modifications to the makefiles to suit my local needs. Than cd FreeBSD; kinstall; cd BSD; make all install was the correct sequence, I recall. -- With best regards -- Andrew Stesin. +380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560 "You may delegate authority, but not responsibility." Frank's Management Rule #1.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606222305.CAA15185>