From owner-freebsd-hackers  Mon Aug 19 07:13:22 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA18162
          for hackers-outgoing; Mon, 19 Aug 1996 07:13:22 -0700 (PDT)
Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA18153
          for <hackers@freebsd.org>; Mon, 19 Aug 1996 07:13:19 -0700 (PDT)
Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id JAA19166; Mon, 19 Aug 1996 09:11:43 -0500
From: Joe Greco <jgreco@brasil.moneng.mei.com>
Message-Id: <199608191411.JAA19166@brasil.moneng.mei.com>
Subject: Re: ipfw vs ipfilter
To: phk@critter.tfs.com (Poul-Henning Kamp)
Date: Mon, 19 Aug 1996 09:11:42 -0500 (CDT)
Cc: avalon@coombs.anu.edu.au, imp@village.org, jkh@time.cdrom.com,
        ugen@latte.worldbank.org, hackers@freebsd.org
In-Reply-To: <7036.840432968@critter.tfs.com> from "Poul-Henning Kamp" at Aug 19, 96 07:36:08 am
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> >IP Filter has its own set of regression tests, which you can verify yourself
> >and then against a test run, if you like.  Not to mention that this has
> >helped find bugs.  Both rule parsing and rule processing are tested for
> >correctness.  This is seen in neither ipfw or ipfwadm for FreeBSD/Linux.
> >In a security concious world, how can you not want to be sure of something
> >like this ?
> 
> Uhm, aren't people overlooking the obvious here:  We can have both,
> and the user can choose.  That was my hope at least.

I would hope that this is the case.  I have been very happy with ipfw,
and while I am not against exploring other options, I do not see why
there can not be two coexisting tools to do this.  We have two console
drivers.  We have two drivers for one of the serial cards.  :-)  Each
one has certain benefits and problems... and it seems to me that the
ipfw/ipfilter thing is pretty much the same way.

PHK has, if I remember correctly, done a LOT of work on ipfw and I believe
that it would be a shame to waste all the effort that everybody has put 
into this.  Whether or not Ugen has failed to support and develop ipfw is
something of an irrelevant issue - FreeBSD has lots of drivers which have
not been actively supported or maintained by their authors.

ipfilter may or may not be a suitable "replacement" for ipfw, but it would
probably be easier and more correct to consider it as a package that can
coexist with ipfw and provide much of the same functionality.

... JG