Date: Mon, 28 Dec 1998 01:30:29 +0100 From: Thomas Stromberg <tstromberg@rtci.com> To: Poul-Henning Kamp <phk@critter.freebsd.dk>, freebsd-current@FreeBSD.ORG Subject: Re: wanton Atticizing is bad Message-ID: <3686D125.49EBFD9@rtci.com> References: <68606.914783086@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Poul-Henning Kamp wrote:>> IPFILTER > > > >Wasn't this _just_recently_ committed? Why commit it in the first place if > >noone really wants it? Personally, I use IPFW. > > Yeah, the jury is still out on this one... Any users out there ? If anyone on this list has never used ipfilter, I highly recommend it over ipfw. http://cheops.anu.edu.au/~avalon/ for more information on it. I personally just switched from ipfw (after over a year of usage) on all of our firewalls to ipfilter. Why the switch? I heard its acclaim after it was committed into -CURRENT, and also read up on some sites like http://www.freebsddairy.com .. I think these are the reasons why I prefer ipfilter over ipfw 1. I felt a larger range of control in its setup. Although I don't particularly like the rules mechanism and shortcut it all with the "quick" operand; I find the rule definition to be finer tuned. 2. Cross-platformness. I have a full intention to deploy ipfilter on some IRIX and Solaris boxes in the near future (as a "personal" firewall hack). I find it extremely pleasing that I can use ipfilter on our IRIX, Solaris, BSD/OS, and FreeBSD machines. It gives me the ability to template everything out. IPFilter is now also a part of OpenBSD and NetBSD, and works in Linux as well as the aforementioned operating systems. 3. The primary reason for the switch: More descriptive logging. While this could be changed in ipfw easily, it was here for me in ipfilter already. Why limit yourself to seeing "ipfw: denied ICMP type x.x from x to x" when you can have ipfilter say: Dec 27 19:18:31 under ipmon[341]: 19:18:30.453472 xl0 @0:29 p 206.115.158.181 -> 216.27.37.14 PR icmp len 20 56 icmp 3/1 for 216.27.37.14,21 - 208.251.56.92,1228 PR tcp len 20 24576 4. Not only does it log those, but if needed, also keeps 128 bytes of the packet. I'll give you that it is a highly unreadable output, but that's what parsers are for.. which is why I wrote syslogcat to parse and or monitor in tail -f style ipfilter/ipfw/everything else into english. ftp://ftp.suspicion.org/pub/projects/syslogcat/ For me the question isn't "Why keep ipfilter?", the question for me on my LAN is "Why bother with IPFW and all of the proprietary packet filtering systems each OS has when I can just standardize on ipfilter?". While IPFW is fine and all, I don't see any advantage to it over ipfilter at this point. While ipfilter is very easy to compile if its not included in the core OS, I think it would be a shame, because if it was never committed, I for one would of never found how nice it is. If anyone is interested, I have a "personal" ipfilter ruleset used on my 3.0-CURRENT testing station available on ftp://ftp.suspicion.org/pub/misc/myconfig/ and the old ipfw ruleset that it replaced. -- --------------------------------------------------------------------- Thomas Stromberg thomas@stromberg.org Senior Systems Administrator, (919) 380-9771 ext. 3210 Research Triangle Consultants, Inc. FreeBSD: The Power to Serve. --------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3686D125.49EBFD9>