Date: Sun, 18 Aug 1996 10:15:05 -0600 From: Warner Losh <imp@village.org> To: Poul-Henning Kamp <phk@critter.tfs.com> Cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, "Ugen J.S.Antsilevich" <ugen@latte.worldbank.org>, hackers@FreeBSD.ORG Subject: Re: ipfw vs ipfilter Message-ID: <199608181615.KAA00454@rover.village.org> In-Reply-To: Your message of Wed, 14 Aug 1996 16:54:59 %2B0200
next in thread | raw e-mail | index | archive | help
: The only think I have against ditching ipfw and replacing with ipfilter : is that the later is getting to big for comfort. One of our paranoid villagers recently did a code review on ipfw. He said it was OK, but found a couple of problems. Specifically, the code lacked comments, there was a bug in the IP header fragment discarding code (if the offset was one, it would discard the fragment, but not when it was 2, it should properly discard the fragment for all offsets > 0 < the size of the headers), it assumed that the user *REALLY* knew what they were doing with the ipfw command and didn't check any sanity on that (this may be the ipfw <-> kernel interface, he wasn't clear in his mail to me). He preferred ipfw to ipfilter (which we've been using for a long time) because ipfw was easier to verify than ipfilter because ipfilter has added too many bells and whistles for his confort. He has not tried to setup a FreeBSD firewall based on ipfw at this time, so it could be as horrible as Jordan contends. That's the next step.... More on that when it happens. Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608181615.KAA00454>