From owner-freebsd-security  Sun Jul 30 17:36:47 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mail.workofstone.net (w121.z208177130.sjc-ca.dsl.cnc.net [208.177.130.121])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3E9DD37B89B; Sun, 30 Jul 2000 17:36:37 -0700 (PDT)
	(envelope-from schluntz@timberwolf.workofstone.net)
Received: from timberwolf (w126.z064001106.sjc-ca.dsl.cnc.net [64.1.106.126])
	by mail.workofstone.net (8.9.3/8.9.3) with ESMTP id RAA10529;
	Sun, 30 Jul 2000 17:36:16 -0700 (PDT)
Message-Id: <200007310036.RAA10529@mail.workofstone.net>
To: Darren Reed <avalon@coombs.anu.edu.au>
Cc: jmb@hub.freebsd.org (Jonathan M. Bresler), mike@adept.org,
	stephen@math.missouri.edu, freebsd-security@FreeBSD.ORG
Subject: Re: Problems with natd and simple firewall 
Reply-To: "Sean J. Schluntz" <schluntz@workofstone.com>
In-Reply-To: Your message of "Mon, 31 Jul 2000 08:09:06 +1000."
             <200007302209.IAA29605@cairo.anu.edu.au> 
Date: Sun, 30 Jul 2000 17:32:15 -0700
From: schluntz@timberwolf.workofstone.net
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>> > I came into this mess with mostly only PIX/FW1 experience...  I'll admit
>> > some initial frustration when glancing over the man page, but after I
>> > decided to read it, word for word, and started toying with the examples,
>> > I've found ipfw's syntax/behavior to be (often) more appealing than the
>> > other products I use on a daily basis.
>> > 
>> > -mrh
>> 
>> 	one significant advantage of ipfw over FW1, aside from cost,
>> is that ipfw can test on which interface a packet arrives and/or
>> leaves.  as far as i know, in FW1 its not possible to act upon packets
>> based upon which interface the packet hits.  imagine wanting to screen
>> (spoofed) packets with the inside IP addresses arriving on the outside
>> interface. ;(
>
>If you're using FW-1 on Solaris, you can use IP Filter to do filtering
>before FW-1 in case you don't trust FW-1 :-)

Or, if you really don't trust FW-1 on Solaris (but need some of it's
functionality and like a second layer of protection) put a Cicso (or
prefurably a FreeBSD box running ipfw) in front of it blocking all of
the hainus stuff and just let the FW-1 box do some of the granularity.

This also protects your FW-1 box from some of the FW-1 related attacks.

-Sean


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message