From owner-freebsd-questions Sun Feb 2 10:26:34 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E121737B401 for ; Sun, 2 Feb 2003 10:26:31 -0800 (PST) Received: from smtp.a1poweruser.com (oh-chardon6a-34.clvhoh.adelphia.net [68.169.105.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 081E143E4A for ; Sun, 2 Feb 2003 10:26:31 -0800 (PST) (envelope-from barbish@a1poweruser.com) Received: from barbish (lanwin2 [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id 52FB61EF; Sun, 2 Feb 2003 13:34:34 -0500 (EST) Reply-To: From: "JoeB" To: , Subject: RE: ipfw firewall questions Date: Sun, 2 Feb 2003 13:26:24 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <200302021150.52576.petre@kgb.ro> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG There are 3 classes of rules in IPFW, each class has separate packet interrogation abilities. Each proceeding class has greater packet interrogation abilities than the previous one. These are stateless, simple stateful, and advanced stateful. The advanced stateful rule class is the only class having technically advanced interrogation abilities capable of defending against the flood of different attack methods currently employed by perpetrators. Stateless and Simple Stateful IPFW firewall rules are inadequate to protect the users system in today's internet environment and leaves the user unknowingly believing they are protected when in reality they are not. The advanced stateful rule option keep-state works as documented only when used in a rule set that does not use the divert rule. Simply stated the IPFW advanced stateful rule option keep-state does not function correctly when used in a IPFW firewall that also is using the IPFW built in NATD function. For the most complete keep-state protection the other FIREWALL solution (IPFILTER) that comes with FBSD should be used. Just checkout the IPFW list archives and you will see this subject discussed in detail with out any solution forthcoming. http://www.obfuscation.org/ipf/ http://www.obfuscation.org/ipf/ipf-howto.html -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Petre Bandac Sent: Sunday, February 02, 2003 4:51 AM To: freebsd-questions@freebsd.org Subject: ipfw firewall questions hello I'm about to "compose" my first ipfw firewall - and, since I have worked quite a lot with iptables, I'm interesed in a few minor similarities: 1 - the firewall is called by rc.conf ? or ca I call it at boot time via whatever *.sh placed in the right place 2 - the firewall can be a executable bash script (i.e. like a regular linux firewall, with variables like myIP="192.168.0.0") ? I guess the rest is covered in the docs I have carefully RTFM :-) thanks, petre -- Login: petre Name: Petre Bandac Directory: /home/petre Shell: /usr/local/bin/zsh On since Fri Jan 31 20:40 (EET) on ttyv1, idle 1 day 14:58 (messages off) On since Sun Feb 2 09:28 (EET) on ttyp0, idle 1:15, from :0 On since Sun Feb 2 09:43 (EET) on ttyp1, idle 1:31, from :0 On since Fri Jan 31 23:46 (EET) on ttyp2, idle 0:02, from :0 On since Sun Feb 2 11:07 (EET) on ttyp3, idle 0:24, from :0 No Mail. No Plan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message