From owner-freebsd-security  Wed Nov 21  9:28:16 2001
Delivered-To: freebsd-security@freebsd.org
Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107])
	by hub.freebsd.org (Postfix) with ESMTP id 8D9A637B417
	for <freebsd-security@FreeBSD.org>; Wed, 21 Nov 2001 09:28:08 -0800 (PST)
Received: from DAVE ([192.168.0.54])
	by chaos.evolve.za.net (8.11.6/1.1.3) with SMTP id fALHS3l42557
	for <freebsd-security@FreeBSD.org>; Wed, 21 Nov 2001 19:28:03 +0200 (SAST)
	(envelope-from dave@raven.za.net)
Message-ID: <005f01c172b1$7a8503c0$3600a8c0@DAVE>
From: "Dave Raven" <dave@raven.za.net>
To: <freebsd-security@FreeBSD.org>
References: <20011121181929.A15275@heresy.dreamflow.nl>
Subject: Re: Best security topology for FreeBSD
Date: Wed, 21 Nov 2001 19:25:12 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

ipfw runs in the kernel, but NAT runs in userland.

With IPFilter this is not so, IPNat runs in the kernel and should be faster.
If you are planning on large usage I would recommend IPFilter (less load)
and IPNat.

but then, dont quote me.


--Dave
Optec Sec.

----- Original Message -----
From: "Bart Matthaei" <bart@dreamflow.nl>
To: <freebsd-security@rikrose.net>
Cc: <security@freebsd.org>
Sent: Wednesday, November 21, 2001 7:19 PM
Subject: Re: Best security topology for FreeBSD


> On Wed, Nov 21, 2001 at 05:01:15PM +0000, freebsd-security@rikrose.net
> wrote:
> > Basically, ipfw doesn't give as much control over the packets and
> > filtering as ipfilter, so use both.
>
> Care to explain why ? I think ipfw/ipf handle packets just as well..
> The only thing i recall is a story about ipfw sending packets trough
> userland (?!). But thats just a vague story i've read somewhere.
>
> I dont see why ipfw can't do what he needs. Ipfw works pretty well
> with NAT, and it's good with traffic shaping. And I personally haven't
> had any troubles with ipfw filtering.
>
> Regards,
>
> B.
>
> --
> Bart Matthaei                 bart@dreamflow.nl
>
> /* Welcome to my world.. You just live in it */


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message