Date: Wed, 21 Nov 2001 17:01:15 +0000 (GMT) From: freebsd-security@rikrose.net To: security@FreeBSD.ORG Subject: RE: Best security topology for FreeBSD Message-ID: <Pine.LNX.4.21.0111211653410.8343-100000@pkl.net> In-Reply-To: <7052044C7D7AD511A20200508B5A9C585169B6@MAGRAT>
next in thread | previous in thread | raw e-mail | index | archive | help
For something that large, I'd wonder why you're not using a hardware router, but, to answer the question that was asked, I'd use *both* IPFilter and IPFW. I would use ipfilter for filtering and NAT (if needed), since it is actually better at doing that, and ipfw for bandwidth limiting/traffic shaping. As to which one sees the packet first, packets would come in on an interface, go through the ipfw rules, then the ipfilter rules, then out again (possibly through the rules again, assuming you don't do anything like use fastroute rules on either). Basically, ipfw doesn't give as much control over the packets and filtering as ipfilter, so use both. Useful url: http://www.obfuscation.org/ipf there's probably a good one for ipfw too, but i use ipfilter, and haven't had the need for traffic shaping yet... -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0111211653410.8343-100000>