From owner-freebsd-questions@FreeBSD.ORG Sun Mar 13 09:37:19 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A9D116A4CE for ; Sun, 13 Mar 2005 09:37:19 +0000 (GMT) Received: from smtp-one-2.wash.one.se (smtp-one-2.one.se [213.80.101.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC69D43D46 for ; Sun, 13 Mar 2005 09:37:17 +0000 (GMT) (envelope-from mark.rowlands@mypost.se) Received: from localhost (smtp-one-2.local [127.0.0.1]) by re-injector2.wash.one.se (Postfix) with ESMTP id 4508766C95C; Sun, 13 Mar 2005 09:36:45 +0000 (GMT) Received: from smtp-one-2.wash.one.se ([127.0.0.1]) by localhost (smtp-one-2.wash.one.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 64831-01; Sun, 13 Mar 2005 09:36:44 +0000 (GMT) Received: from pcmarpxy.mwrwin2k.se (81-170-150-191.bahnhofbredband.net [81.170.150.191]) by smtp-one-2.wash.one.se (Postfix) with ESMTP id 06BA566C92C; Sun, 13 Mar 2005 09:36:44 +0000 (GMT) Received: from localhost (localhost.mwrwin2k.se [127.0.0.1]) by pcmarpxy.mwrwin2k.se (Postfix) with ESMTP id 560BEAC8ED; Sun, 13 Mar 2005 10:34:29 +0100 (CET) Received: from pcmarpxy.mwrwin2k.se ([127.0.0.1]) by localhost (pcmarpxy.mwrwin2k.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28137-05; Sun, 13 Mar 2005 10:34:28 +0100 (CET) Received: from localhost.mwrwin2k.se (localhost.mwrwin2k.se [127.0.0.1]) by pcmarpxy.mwrwin2k.se (Postfix) with ESMTP id 0F2EEAC81E; Sun, 13 Mar 2005 10:34:28 +0100 (CET) From: Mark Rowlands To: freebsd-questions@freebsd.org Date: Sun, 13 Mar 2005 10:34:18 +0100 User-Agent: KMail/1.7.2 References: <20050301224201.GC7469@math.jussieu.fr> <20050304124123.GA12225@math.jussieu.fr> <20050313081659.GA18080@alzatex.com> In-Reply-To: <20050313081659.GA18080@alzatex.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200503131034.25240.mark.rowlands@mypost.se> X-Virus-Scanned: by amavisd-new at one.se (smtp-one-2) X-Spam-Status: No, hits=-2.408 tagged_above=-999 required=9 tests=AWL, BAYES_00, TW_PF X-Spam-Level: cc: Stevan Tiefert cc: "Loren M. Lang" cc: Albert Shih Subject: Re: ipfw or pf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mark.rowlands@mypost.se List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Mar 2005 09:37:19 -0000 On Sunday 13 March 2005 09:16, Loren M. Lang wrote: > On Fri, Mar 04, 2005 at 01:41:23PM +0100, Albert Shih wrote: > > Le 03/03/2005 ? 13:07:53-0800, Loren M. Lang a ?crit > > > > > > Well it's not de syntaxes, I always use packet filter system > > > > (sometime on hardware like Foundry/Cisco) where the rule is : First > > > > match first use. And the pf use entire rules is very strange for me > > > > (I known I can use ?quick? but....well it's not the philosophy I > > > > think). > > > > > > I like first match better too, but I think pf is sufficiently better > > > that I just use it with quick over ipfw. > > > > Better on what ? > > More security features like srubbing packets. This can look for errors > like bad tcp flag combinations that some port scanners might use. Also, > it is just more flexible by using tables for matches that can even be > updated dynamically. ipf and ipfw would require a completely new rule > to change the firewall. Tables can be used to, say, keep track of a > blacklist of ip address like the ones that keep trying to log into ssh > accounts on my server that don't exist man ipfw ipfw table number add addr[/masklen] [value] ipfw table number delete addr[/masklen] ipfw table number flush ipfw table number list