From owner-freebsd-security Wed Nov 21 9: 1:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 86DCD37B416 for ; Wed, 21 Nov 2001 09:01:16 -0800 (PST) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id RAA12123 for ; Wed, 21 Nov 2001 17:01:15 GMT Date: Wed, 21 Nov 2001 17:01:15 +0000 (GMT) From: freebsd-security@rikrose.net X-Sender: rik@pkl.net To: security@FreeBSD.ORG Subject: RE: Best security topology for FreeBSD In-Reply-To: <7052044C7D7AD511A20200508B5A9C585169B6@MAGRAT> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For something that large, I'd wonder why you're not using a hardware router, but, to answer the question that was asked, I'd use *both* IPFilter and IPFW. I would use ipfilter for filtering and NAT (if needed), since it is actually better at doing that, and ipfw for bandwidth limiting/traffic shaping. As to which one sees the packet first, packets would come in on an interface, go through the ipfw rules, then the ipfilter rules, then out again (possibly through the rules again, assuming you don't do anything like use fastroute rules on either). Basically, ipfw doesn't give as much control over the packets and filtering as ipfilter, so use both. Useful url: http://www.obfuscation.org/ipf there's probably a good one for ipfw too, but i use ipfilter, and haven't had the need for traffic shaping yet... -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message