From owner-freebsd-questions Fri Jun 9 12:28:42 2000 Delivered-To: freebsd-questions@freebsd.org Received: from draenor.org (draenor.org [196.36.119.129]) by hub.freebsd.org (Postfix) with ESMTP id DDD5837C546 for ; Fri, 9 Jun 2000 12:28:34 -0700 (PDT) (envelope-from marcs@draenor.org) Received: from marcs by draenor.org with local (Exim 3.14 #1) id 130UQz-000Nhc-00; Fri, 09 Jun 2000 21:27:13 +0200 Date: Fri, 9 Jun 2000 21:27:13 +0200 From: Marc Silver To: Roelof Osinga Cc: Steve Coles , questions@FreeBSD.ORG Subject: Re: Relative merits of IPFIREWALL and IPFILTER Message-ID: <20000609212713.F81376@draenor.org> References: <0f4a01bfd229$00605ab0$4c9814ac@volga.TRIPOS.COM> <39413FFB.85A522F6@nisser.com> <20000609211149.C81376@draenor.org> <39414492.ACFF042A@nisser.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <39414492.ACFF042A@nisser.com>; from roelof@nisser.com on Fri, Jun 09, 2000 at 09:25:06PM +0200 X-Operating-System: FreeBSD 4.0-STABLE Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG *nod* Just some examples are: # Check state of all stateful connections ipfw add check-state # Allow in any packets that are part of an existing connection ipfw add pass tcp from any to x.x.x.x in via rl0 established # Allow outbound tcp/udp packets with state ipfw add allow tcp from x.x.x.x to any out via rl0 keep-state setup ipfw add allow udp from x.x.x.x to any out via rl0 keep-state ipfw add allow icmp from x.x.x.x to any out via rl0 keep-state I only recently found out about it too... :) Cheers, Marc On Fri, Jun 09, 2000 at 09:25:06PM +0200, Roelof Osinga wrote: > Marc Silver wrote: > > > > errr, nope. :) ipfw can handle stateful stuff :) > > Hey, interesting. I've always gathered that to be the distinguishing > feature between them. I mean - from ipf(5) - ipfw doesn't do > > state keeps information about the flow of a communication > session. State can be kept for TCP, UDP, and ICMP > packets. > > this. Ipfw sees each packet as a distinct entity. But if that > has changed while I was asleep, so more the better. I'm > using ipfw, you see . > > Roelof > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message