Date: Sat, 9 Aug 2003 11:32:13 -0400 From: Zvezdan Petkovic <zvezdan@CS.WM.EDU> To: freebsd-security@freebsd.org Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] Message-ID: <20030809153213.GA2391@dali.cs.wm.edu> In-Reply-To: <20030808224948.GC2559@cowbert.2y.net> References: <20030807191926.50590.qmail@web10108.mail.yahoo.com> <000001c35d26$cd0827b0$0304a8c0@delllaptop> <20030807222255.GA18430@dali.cs.wm.edu> <20030808224948.GC2559@cowbert.2y.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 08, 2003 at 06:49:48PM -0400, Peter C. Lai wrote: > What are you meaning by "native"? They both exist as part of the base FreeBSD > kernel; so in that sense, both ipf and ipfw are "native" to FreeBSD. Notice that I said "AFAIK" in the original message below. But let me elaborate. I had in mind this sentence from FreeBSD Handbook, Section 10.7.1 "FreeBSD comes with a kernel packet filter (known as IPFW), which is what the rest of this section will concentrate on." The handbook does _not_ talk about IPF. Also, this document http://www.freebsd.org/news/status/report-may-2002-june-2002.html says (notice the word "native" in the first sentence, please): "In summer 2002 the native FreeBSD firewall has been completely rewritten in a form that uses BPF-like instructions to perform packet matching in a more effective way. The external user interface is completely backward compatible, though you can make use of some newer match patterns (e.g. to handle sparse sets of IP addresses) which can dramatically simplify the writing of ruleset (and speed up their processing). The new firewall, called ipfw2, is much faster and easier to extend than the old one. It has been already included in FreeBSD-CURRENT, and patches for FreeBSD-STABLE are available from the author." I rest my case. > I don't see how this argument is appropriate for choosing one over the > other anyway. That was exactly my point. Chris Odell admonished the original poster for using IPFW stating that IPF is native to *BSD. I simply wanted to point out that is not the exact state of affairs. > > On Thu, Aug 07, 2003 at 06:22:55PM -0400, Zvezdan Petkovic wrote: > > On Thu, Aug 07, 2003 at 01:59:27PM -0700, Chris Odell wrote: > > > > > > But why IPFW? IPF is *BSD native wall. I actually use both - IPF for > > > firewalling, and IPFW for throttling via dummy net. My recommended > > > reading for IPF and IPFW is "Building Linux and OpenBSD Firewalls"... > > > > Where did you get this information? > > > > Native firewall for FreeBSD is ipfw, AFAIK. It's even used on OS X as a > > native firewall, due to Darwin's FreeBSD roots. > > > > Also, OpenBSD stopped using ipf four releases ago. The native firewall > > for OpenBSD is pf. pf inherited much of the syntax from ipf, but also > > extended it and added some features. > > > > That said, I personally find ipf quite a good stateful firewall and its > > syntax can feel more natural than ipfw syntax. It also works on Solaris > > and other OS's besides *BSDs. Best regards, -- Zvezdan Petkovic <zvezdan@cs.wm.edu> http://www.cs.wm.edu/~zvezdan/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030809153213.GA2391>