Date: Mon, 19 Aug 1996 07:50:05 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: imp@village.org (Warner Losh) Cc: phk@critter.tfs.com, jkh@time.cdrom.com, ugen@latte.worldbank.org, hackers@FreeBSD.ORG Subject: Re: ipfw vs ipfilter Message-ID: <199608182150.OAA14811@freefall.freebsd.org> In-Reply-To: <199608181615.KAA00454@rover.village.org> from "Warner Losh" at Aug 18, 96 10:15:05 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Warner Losh, sie said: > > : The only think I have against ditching ipfw and replacing with ipfilter > : is that the later is getting to big for comfort. [...] > He preferred ipfw to ipfilter (which we've been using for a long time) > because ipfw was easier to verify than ipfilter because ipfilter has > added too many bells and whistles for his confort. Many of the "bells and whilsts" have been added after sugestions from users or just improving it to be on a par with commercial systems (or better) or just so that it is `complete'. In some cases, the grammar has been extended not to invent a new feature, but because the code already made it possible so it seemed reasonable to take advantage of that. IP Filter has its own set of regression tests, which you can verify yourself and then against a test run, if you like. Not to mention that this has helped find bugs. Both rule parsing and rule processing are tested for correctness. This is seen in neither ipfw or ipfwadm for FreeBSD/Linux. In a security concious world, how can you not want to be sure of something like this ? Whilst it might be considered to be "feature rich", I don't think any of them are superflous. Granted, not many people care about security options in TCP/IP packets, but the same sort of functionality is in Ciscos, not to mention it does get used in IP Filter by some people... Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608182150.OAA14811>