Date: Wed, 21 Nov 2001 12:31:06 -0500 From: The Anarcat <anarcat@anarcat.dyndns.org> To: Bart Matthaei <bart@dreamflow.nl> Cc: freebsd-security@rikrose.net, security@freebsd.org Subject: Re: Best security topology for FreeBSD Message-ID: <20011121173105.GA44370@shall.anarcat.dyndns.org> In-Reply-To: <20011121181929.A15275@heresy.dreamflow.nl> References: <7052044C7D7AD511A20200508B5A9C585169B6@MAGRAT> <Pine.LNX.4.21.0111211653410.8343-100000@pkl.net> <20011121181929.A15275@heresy.dreamflow.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed Nov 21, 2001 at 06:19:29PM +0100, Bart Matthaei wrote: > On Wed, Nov 21, 2001 at 05:01:15PM +0000, freebsd-security@rikrose.net wr= ote: > > Basically, ipfw doesn't give as much control over the packets and > > filtering as ipfilter, so use both. >=20 > Care to explain why ? For this I don't know. I thought both had the same capabilities too. > I think ipfw/ipf handle packets just as well.. Agreed. > The only thing i recall is a story about ipfw sending packets trough > userland (?!). But thats just a vague story i've read somewhere. It's not a vague story. *In order to do NAT*, you must send packets to the natd daemon, using a divert rule. ipf doesn't need that, as there is a ipnat kernel module to replace natd. a. --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv75NUACgkQttcWHAnWiGd4yQCfXZcZ4Dxor00WCAbxm6zVvh4S AkYAniw+S6Ej+OW0z3pKTQa4BGaOM8no =PVkx -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011121173105.GA44370>