From owner-freebsd-stable Fri Oct 27 9:15:19 2000 Delivered-To: freebsd-stable@freebsd.org Received: from be-well.ilk.org (lowellg.ne.mediaone.net [24.147.184.128]) by hub.freebsd.org (Postfix) with ESMTP id 88C8837B4C5 for ; Fri, 27 Oct 2000 09:15:17 -0700 (PDT) Received: (from lowell@localhost) by be-well.ilk.org (8.11.1/8.11.1) id e9RGFGR33936; Fri, 27 Oct 2000 12:15:16 -0400 (EDT) (envelope-from lowell) Date: 27 Oct 2000 19:21:14 -0400 To: freebsd-stable@freebsd.org Subject: Re: ipfw security. References: <8tbkqs$ki$1@FreeBSD.csie.NCTU.edu.tw> From: Lowell Gilbert In-Reply-To: feedback@phpStop.com's message of "27 Oct 2000 18:19:08 +0800" Message-ID: <44d7gm8dm3.fsf@lowellg.ne.mediaone.net> Lines: 22 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG feedback@phpStop.com ("Stop here. Start everywhere.") writes: > I thought I would spread this to the mailing list just in case no one > knew about it, and ask whether ipfw does implement all of the mentioned > requirements: > > ftp://ftp.isi.edu/in-notes/rfc2979.txt > > Well, does ipfw support all of it, and if not, what doesn't it support? RFC 2979 is informational, not a standards-track document, and it puts very few specific requirements on an implementation. It's more of a set of design principles for deployment of firewalls than it is a set of requirements for firewall software. Like nearly every other piece of packet filtering code (at least, those that are remotely configurable) I've ever seen, ipfw is perfectly capable of being used in accordance with 2979, and perfectly capable of being configured to violate its every stricture. 2979 is (in my opinion) a good starting point for network administrators to learn what *not* to do with a packet filter, but that's about all. - Lowell Gilbert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message