From owner-freebsd-questions Fri Jul 7 13: 9: 6 2000 Delivered-To: freebsd-questions@freebsd.org Received: from lerami.lerctr.org (lerami.lerctr.org [207.158.72.11]) by hub.freebsd.org (Postfix) with ESMTP id 05FDB37C9EF for ; Fri, 7 Jul 2000 13:08:57 -0700 (PDT) (envelope-from ler@lerctr.org) Received: from lerdesk (ler-desk.iadfw.net [206.66.13.18]) by lerami.lerctr.org (8.10.1/8.10.1/20000703) with SMTP id e67K8il16010; Fri, 7 Jul 2000 15:08:44 -0500 (CDT) From: "Larry Rosenman" To: "Salvo Bartolotta" , Cc: Subject: RE: Q: IPFIREWALL or IPFILTER? Date: Fri, 7 Jul 2000 15:08:42 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20000707.19352900@bartequi.ottodomain.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG can't look at that PR, it's marked confidential... -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Salvo Bartolotta Sent: Friday, July 07, 2000 2:35 PM To: Peter.McGarvey@telinco.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Q: IPFIREWALL or IPFILTER? >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 7/7/00, 5:12:12 PM, Peter McGarvey wrote regarding Q: IPFIREWALL or IPFILTER?: > In building a new kernel, I can add support for IPFIREWALL and IPFILTER. > What I'd like to know is what's the difference? > And which is better? > And is both a bad idea? > The only firewalls I've ever dealt with are of the packet filtering sort > built into routers. But now I'm playing with a FreeBSD box with 3 NICs > so it seems like a good time to learn a bit more about firewalls. > Discovering that FreeBSD supports two I went looking for some sort of > comparison between the two. But couldn't find anything. Hence, the > above questions. > -- > TTFN, FNORD > Peter McGarvey, Unix Administrator > Network Operations Center, Telinco Limited Dear Peter McGarvey, I would not like to start a theological dispute in the least :-) Both of them can be configured with stateful rules. My (as yet limited) understanding is that, essentially, they perform analogous functions albeit ipfilter seems to be slighly more flexible. BTW, as an exercise, I am developing solutions based on both. You may wish to have a look at Marc's tutorial (on ipfw), which is found at http://www.freeebsd.org/tutorials/dialup-firewall: mutatis mutandis, it will provide an excellent starting point; other general information (about firewalls) is found in the handbook. You might also want to read the relevant man pages (security(7); ipfw(8); ipf(1,4,5)), and/or browse a few sites dealing with security (e.g. http://www.cert.org); as regards ipfilter at large, you may wish to begin reading http://www.linuxsecurity.com/resource_files/firewalls/ipf-howto.txt; in addition, you will want to search the archives, in particular -security, and gather further (more or less theological) information. One last note. A couple of days ago a dangerous network-related bug was detected: you may wish to retrieve kern/19722. HTH just a tiny bit, Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message