Date: Sun, 30 Jul 2000 17:32:15 -0700 From: schluntz@timberwolf.workofstone.net To: Darren Reed <avalon@coombs.anu.edu.au> Cc: jmb@hub.freebsd.org (Jonathan M. Bresler), mike@adept.org, stephen@math.missouri.edu, freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <200007310036.RAA10529@mail.workofstone.net> In-Reply-To: Your message of "Mon, 31 Jul 2000 08:09:06 %2B1000." <200007302209.IAA29605@cairo.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
>> > I came into this mess with mostly only PIX/FW1 experience... I'll admit >> > some initial frustration when glancing over the man page, but after I >> > decided to read it, word for word, and started toying with the examples, >> > I've found ipfw's syntax/behavior to be (often) more appealing than the >> > other products I use on a daily basis. >> > >> > -mrh >> >> one significant advantage of ipfw over FW1, aside from cost, >> is that ipfw can test on which interface a packet arrives and/or >> leaves. as far as i know, in FW1 its not possible to act upon packets >> based upon which interface the packet hits. imagine wanting to screen >> (spoofed) packets with the inside IP addresses arriving on the outside >> interface. ;( > >If you're using FW-1 on Solaris, you can use IP Filter to do filtering >before FW-1 in case you don't trust FW-1 :-) Or, if you really don't trust FW-1 on Solaris (but need some of it's functionality and like a second layer of protection) put a Cicso (or prefurably a FreeBSD box running ipfw) in front of it blocking all of the hainus stuff and just let the FW-1 box do some of the granularity. This also protects your FW-1 box from some of the FW-1 related attacks. -Sean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007310036.RAA10529>