From owner-freebsd-questions Sun Feb 2 12:49:55 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFFC237B401 for ; Sun, 2 Feb 2003 12:49:52 -0800 (PST) Received: from g38.rdsbv.ro (g38.rdsbv.ro [193.231.237.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD45D43F43 for ; Sun, 2 Feb 2003 12:49:51 -0800 (PST) (envelope-from petre@kgb.ro) Received: from kgb.rdsbv.ro (dzerjinski.kgb.ro [193.231.237.196]) by g38.rdsbv.ro (Postfix) with ESMTP id B1AC09C79; Sun, 2 Feb 2003 22:49:39 +0200 (EET) Content-Type: text/plain; charset="iso-8859-1" From: Petre Bandac Reply-To: petre@kgb.ro Organization: KGB To: , Subject: Re: ipfw firewall questions Date: Sun, 2 Feb 2003 22:49:33 +0200 User-Agent: KMail/1.4.3 References: In-Reply-To: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200302022249.33452.petre@kgb.ro> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ipf & ipfw are something like iptables & ipchains ? both tools do the sam= e job=20 ? On Sunday 02 February 2003 20:26 Anno Domini, JoeB wrote using one of his= =20 keyboards: > There are 3 classes of rules in IPFW, each class has separate packet > interrogation abilities. Each proceeding class has greater packet > interrogation abilities than the previous one. These are stateless, > simple stateful, and advanced stateful. The advanced stateful rule > class is the only class having technically advanced interrogation > abilities capable of defending against the flood of different attack > methods currently employed by perpetrators. Stateless and Simple > Stateful IPFW firewall rules are inadequate to protect the users > system in today's internet environment and leaves the user > unknowingly believing they are protected when in reality they are > not. > > The advanced stateful rule option keep-state works as documented > only when used in a rule set that does not use the divert rule. > Simply stated the IPFW advanced stateful rule option keep-state does > not function correctly when used in a IPFW firewall that also is > using the IPFW built in NATD function. For the most complete > keep-state protection the other FIREWALL solution (IPFILTER) that > comes with FBSD should be used. Just checkout the IPFW list archives > and you will see this subject discussed in detail with out any > solution forthcoming. > > http://www.obfuscation.org/ipf/ > > http://www.obfuscation.org/ipf/ipf-howto.html > > > > > > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Petre > Bandac > Sent: Sunday, February 02, 2003 4:51 AM > To: freebsd-questions@freebsd.org > Subject: ipfw firewall questions > > hello > > I'm about to "compose" my first ipfw firewall - and, since I have > worked quite > a lot with iptables, I'm interesed in a few minor similarities: > > 1 - the firewall is called by rc.conf ? or ca I call it at boot time > via > whatever *.sh placed in the right place > > 2 - the firewall can be a executable bash script (i.e. like a > regular linux > firewall, with variables like myIP=3D"192.168.0.0") ? > > I guess the rest is covered in the docs I have carefully RTFM :-) > > thanks, > > petre --=20 Login: petre =09=09=09Name: Petre Bandac Directory: /home/petre =09Shell: /usr/local/bin/zsh On since Sun Feb 2 13:56 (EET) on ttyv0, idle 8:51 (messages off) Last login Sun Feb 2 20:03 (EET) on ttyp0 from ns.rdsbv.ro No Mail. No Plan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message