From owner-freebsd-security Wed Mar 7 18:31:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5584937B719 for ; Wed, 7 Mar 2001 18:31:20 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id SAA22113; Wed, 7 Mar 2001 18:30:17 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda22111; Wed Mar 7 18:30:09 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f282U4202816; Wed, 7 Mar 2001 18:30:04 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdHN2802; Wed Mar 7 18:29:11 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f282T8E27412; Wed, 7 Mar 2001 18:29:08 -0800 (PST) Message-Id: <200103080229.f282T8E27412@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdl26844; Wed Mar 7 18:28:48 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Christopher Schulte Cc: Fernando Schapachnik , Nathan Dorfman , freebsd-security@FreeBSD.ORG Subject: Re: ipfw or ipf? In-reply-to: Your message of "Wed, 07 Mar 2001 18:29:10 CST." <5.0.2.1.0.20010307181400.0336ed18@pop.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 07 Mar 2001 18:28:48 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <5.0.2.1.0.20010307181400.0336ed18@pop.schulte.org>, Christopher Sch ulte writes: > At 09:11 PM 3/7/2001 -0300, Fernando Schapachnik wrote: > >On the other hand ipfw can do traffic shaping. On FreeBSD you can > >build an "invisible" firewall with ipfw doing bridging. > > ipfw + dummynet + bridging is exactly what I use for my firewall. It's > fast, stable, easy to manage, powerful and I'd recommend it to anyone > wanting to secure a small network using FreeBSD and 2 NICs. > > Ipfw does has the ability to keep a tcp states. I can't speak for NAT or > portability. I have used ipf on at least OpenBSD and Solaris. It probably > can be compiled on many more. > > ipfw is beautiful - two nics just hop into promisc mode. One connects to > the 'internal' network, the other to possibly a router or public > switch. Then using the firewall/shaping rules defined with ipfw traffic is > transparently passed (or dropped/rejected) from the external network to > machines on the inside via software bridging. > > Not to mention, you can do sophisticated traffic limiting at the same time. On the flip side IP Filter gives FTP, RCMD, and Real Audio proxies. The last two are inconsequential, unless you firewall your workstation, like I do at work, and perform Kerberos rsh (krsh) to systems you manage. The FTP proxy allows you to support PORT (active) FTP through your firewall. Not all FTP clients support passive FTP. Not all users are smart enough to remember to use passive FTP. Its been reported that the state engine in IP Filter is more mature and more restrictive because of the checks it does for TCP packets being within the TCP window. I'm not sure whether IPFW does the same. I have built firewalls based on IP Filter for filtering and NAT, specifically using IPF's FTP proxy, while using IPFW's dummynet. Both IPFW and IPF are excellent firewalls. The beauty of FreeBSD, unlike the other operating systems, is that you get BOTH. Two different tools in your toolbox for two slightly different jobs. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message