Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Jun 1996 02:05:13 +0300 (EET DST)
From:      "Andrew V. Stesin" <stesin@elvisti.kiev.ua>
To:        avalon@coombs.anu.edu.au (Darren Reed)
Cc:        taob@io.org, freebsd-security@FreeBSD.org
Subject:   Re: IPFW vs. IP Filter?
Message-ID:  <199606222305.CAA15185@office.elvisti.kiev.ua>
In-Reply-To: <199606221722.KAA20217@freefall.freebsd.org> from "Darren Reed" at Jun 23, 96 03:21:53 am
next in thread | previous in thread | raw e-mail | index | archive | help 
# 
# In some mail from Brian Tao, sie said:
# > 
# >     BTW, this is in the ipfw man page:
# > 
# > | There is one kind of packet that the firewall will always discard, that
# > | is an IP fragment with a fragment offset of one.  This is a valid packet,
# > | but it only has one use, to try to circumvent firewalls.
# > 
# >     I assume ipfilter does this as well?
# 
# Not automatically, but you can tell it to do so.
# 
# In the author's mind, there might be occasions where you don't want to
# discard those packets although you probably want to know they existed.
# 
# Darren
# 
	Hello people,

	as for me, I'm happy with IPfilter so far and observed
	only two noticeable problems yet:

	1.  Sending TCP RST in reply to unsolicited TCP SYN
	    didn't work.  That was solved, thanks Darren,
	    but I'm not 100% sure that this patch is included
	    in 3.0.4 distribution.

	2.  With "in-kernel" version, "log body" doesn't work for
	    me; I discovered the fact too late, when fighting
	    with crashes of our firewall.  Disabling all "log body"
	    clauses in filtering rules cured that mysterious crashes,
	    too, firewall is working for weeks just now, as I see.
	    Now when I'm just 90% sure I found the source of trouble,
	    which tortured me for weeks, probably it's time to
	    go check where exactly it lives.

	Building IPfilter. Generally the instructions worked for me;
	I did minor modifications to the makefiles to suit my local
	needs.   Than cd FreeBSD; kinstall; cd BSD; make all install
	was the correct sequence, I recall.

-- 

	With best regards -- Andrew Stesin.

	+380 (44) 2760188	+380 (44) 2713457	+380 (44) 2713560

	"You may delegate authority, but not responsibility."
					Frank's Management Rule #1.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606222305.CAA15185>