From owner-freebsd-security Thu Jul 27 0:36:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 4BF3037BA8F for ; Thu, 27 Jul 2000 00:36:41 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id RAA18535; Thu, 27 Jul 2000 17:35:42 +1000 (EST) From: Darren Reed Message-Id: <200007270735.RAA18535@cairo.anu.edu.au> Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) To: trish@bsdunix.net (Siobhan Patricia Lynch) Date: Thu, 27 Jul 2000 17:35:42 +1000 (Australia/NSW) Cc: Reinoud.Koornstra@ibb.net (Reinoud), Gerhard.Sittig@gmx.net (Gerhard Sittig), freebsd-security@FreeBSD.ORG In-Reply-To: from "Siobhan Patricia Lynch" at Jul 27, 2000 03:25:33 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Siobhan Patricia Lynch, sie said: > > I actually use ipfw for everything, I can;t see any real advantage to > ipfilter in a situation that we're using it for (some people know > where I work) > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > ipfw I can add rules on the fly. You can do that with ipfilter too. In fact, ipfilter allows you to make complete ruleset changes, on the fly with 0 security risk (i.e. there is no gap of "half your rules being in place"). Even at bootup, you can go from "no rules, default = block" to "full ruleset" and not have any packets slip between the cracks as various lines get added to allow/deny things. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message