From owner-freebsd-security Wed Oct 13 13:11: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from sparc.sweb.com (ip-150-253.gw.total-web.net [209.186.150.253]) by hub.freebsd.org (Postfix) with ESMTP id 5E0DA1519C; Wed, 13 Oct 1999 13:10:52 -0700 (PDT) (envelope-from zaph0d@sparc.sweb.com) Received: from localhost by sparc.sweb.com (8.9.3/8.9.3) with SMTP id QAA12539; Wed, 13 Oct 1999 16:05:54 -0400 (EDT) Date: Wed, 13 Oct 1999 16:05:53 -0400 (EDT) From: To: Thomas Stromberg Cc: freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, peter@FreeBSD.ORG Subject: Re: ipfilter no longer in -CURRENT, whats the direction? (off to ipfw?) In-Reply-To: <38047FB1.D7B282AD@rtci.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I also must agree for many tasks, IP filter proves superior than IPFW and NATD for many things which I do. It seems much more straightforward, more configurable, and also in many respects more stable and reliable. It would not bother me in the least if they simply yanked ipfw and natd from the src tree, and included ipf/ipnat default (not in contrib). If no one else desires to doso, i'd be happy to maintain whatever communication or porting nessescary to keep it current and included in the standard FreeBSD distribution. On Wed, 13 Oct 1999, Thomas Stromberg wrote: > http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/ipnat/Attic/Makefile > ------------------------------------------------------------------------ > 1.2 Sun Oct 10 15:08:35 1999 UTC by peter > CVS Tags: HEAD > Diffs to 1.1 > FILE REMOVED > > Nuke the old antique copy of ipfilter from the tree. This is old enough > to be dangerous. It will better serve us as a port building a KLD, > ala SKIP. > ------------------------------------------------------------------------ > > Although a heads up in -CURRENT or -security about this would of been > nice, ye old ipfilter is gone. I definitely cannot disagree with the > fact that it is an antique copy, and it's a shame that no one seems to > be taking care of it in the tree. At least in the past, ipfilter was for > many a much better option then ipfw. Has ipfw improved to the point > where it functions better as a company firewall then ipfilter? (Okay, so > the group & user firewalling is neat, but not really applicable for a > corporate border firewall) > > ipfilters website: http://coombs.anu.edu.au/~avalon/ip-filter.html > > For why I feel ipfilter is better then ipfw (this post was written back > in December '98, ipfw may have changed greatly since): > > http://www.freebsd.org/cgi/getmsg.cgi?fetch=117538+122112+/usr/local/www/db/text/1998/freebsd-current/19981227.freebsd-current > (the big 'wanton atticizing discussion') > > A summary of it being: > > - Multiplatform. Runs on IRIX, Solaris, Linux. Comes shipped with > FreeBSD, OpenBSD, and NetBSD. Keeps us in sync with the other BSD's. > - Better logging then ipfw (has ipfw improved? Thats why I switched to > ipfilter in the first place) > > It's a shame that no one seems to want to maintain ipfilter in our tree. > As far as a 'port building kld', I think this may not be the 'smartest' > way, seeing as anyone who is running a serious firewall would disable > kld's immediately anyhow. > > So my question is, what's the direction we're taking here? > > -- > ======================================================================= > Thomas Stromberg, Assistant IS Manager / Systems Guru > smtp://tstromberg@rtci.com Research Triangle Commerce, Inc. > pots://919.380.9771 x3210 > ======================================================================= > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message