From owner-freebsd-questions Fri Jun 9 13:20:38 2000 Delivered-To: freebsd-questions@freebsd.org Received: from nisser.com (c1870039.telekabel.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id AAC1037B5B0 for ; Fri, 9 Jun 2000 13:20:29 -0700 (PDT) (envelope-from roelof@nisser.com) Received: from nisser.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id WAA02779; Fri, 9 Jun 2000 22:20:15 +0200 (CEST) (envelope-from roelof@nisser.com) Message-ID: <39415193.74529252@nisser.com> Date: Fri, 09 Jun 2000 22:20:35 +0200 From: Roelof Osinga Organization: eboa - engineering buro Office Automation X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Marc Silver Cc: Steve Coles , questions@FreeBSD.ORG Subject: Re: Relative merits of IPFIREWALL and IPFILTER References: <0f4a01bfd229$00605ab0$4c9814ac@volga.TRIPOS.COM> <39413FFB.85A522F6@nisser.com> <20000609211149.C81376@draenor.org> <39414492.ACFF042A@nisser.com> <20000609212713.F81376@draenor.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Marc Silver wrote: > > *nod* > > Just some examples are: > > # Check state of all stateful connections > ipfw add check-state > > # Allow in any packets that are part of an existing connection > ipfw add pass tcp from any to x.x.x.x in via rl0 established > > # Allow outbound tcp/udp packets with state > ipfw add allow tcp from x.x.x.x to any out via rl0 keep-state setup > ipfw add allow udp from x.x.x.x to any out via rl0 keep-state > ipfw add allow icmp from x.x.x.x to any out via rl0 keep-state > > I only recently found out about it too... :) Yeah, well, it sorta comes back to me. Now that you mention it . A while ago there was this DoS attack that could not be blocked by ipfw but could be stopped by ipf. Say a month later there was indeed an announce regarding ipfw. Ah well . But what that difference gone there are only 'minor' differences left. Most notably the control language. Ipf's looks more complete. It also looks to have more capabilities regarding looking into packets. E.g. making decisions based on the TTL. Maybe that the dup-to can do more than divert can. Then again, I'll be glad to be educated on that aspect, too ;). Roelof -- ----------------------------------------------------------------------- Eboa (ingenieursburo Office Automation) web. http://eboa.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message