From owner-freebsd-security@FreeBSD.ORG Sat May 31 21:05:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3F3037B401 for ; Sat, 31 May 2003 21:05:59 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5E2C43F3F for ; Sat, 31 May 2003 21:05:58 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.org (8.9.3/8.9.3) id WAA03959; Sat, 31 May 2003 22:04:24 -0600 (MDT) Date: Sat, 31 May 2003 22:04:24 -0600 (MDT) From: Brett Glass Message-Id: <200306010404.WAA03959@lariat.org> To: duke@irpen.kiev.ua, freebsd-security@freebsd.org In-Reply-To: <20030531122028.A16361@irpen.kiev.ua> Subject: Re: Packet flow through IPFW+IPF+IPNAT ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jun 2003 04:05:59 -0000 I don't use IPFW and IPFilter together, but IIRC IPFilter steps between everything else (except for bpf) and the interface. Same for IPNAT, which integrates with IPFilter. Since the advent of pf and altq, OpenBSD has had a better firewall architecture than any of the other BSDs, IMHO. pf can do things which are awkward in other systems because features were kludged in later. I've always thought that it would be cool to be able to integrate firewall components into FreeBSD via its unique NetGraph system. This would let you filter specific flows of packets very efficiently. --Brett