Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 27 Jul 2000 11:43:37 -0400
From:      Nick Evans <nevans@nextvenue.com>
To:        'Siobhan Patricia Lynch' <trish@bsdunix.net>
Cc:        "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org>
Subject:   RE: ipf or ipfw (was: log with dynamic firewall rules)
Message-ID:  <712384017032D411AD7B0001023D799B07CA70@sn1exchmbx.nextvenue.com>
next in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
It wouldn't work with ipf, period. IPF doesn't support bridging in FreeBSD
4, no? or is your bridging in reference to something else?

-----Original Message-----
From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net]
Sent: Thursday, July 27, 2000 11:31 AM
To: Darren Reed
Cc: Reinoud; Gerhard Sittig; freebsd-security@FreeBSD.ORG
Subject: Re: ipf or ipfw (was: log with dynamic firewall rules)


I'm not saying that ipf is bad, in fact, prior to keep-state and
check-state in ipfw, I used ipf quite a bit.

again, *some* people here know who I work for, but the networking going
into sites looks like this:

cisco (non-stateful) -> freebsd bridging ipfw -> arrowpoint web content
switch -> clusters

ipfw works quite well, but wouldn;t in this situation prior to freebsd 4.0

if theres something absolutely amazing in the next version if ipf that
makes my life hella better at work, I'll use it ;)

as it is, I'm using OpenBSD/IPSec to tunnel and bridge packets from exodus
to the office (well not quite yet, but we have the go ahead on that
project) , which is irony, those who know who I am will agree ;)

-Trish

__

Trish Lynch
FreeBSD - The Power to Serve 		trish@bsdunix.net
Rush Networking				trish@rush.net

On Thu, 27 Jul 2000, Darren Reed wrote:

> In some mail from Siobhan Patricia Lynch, sie said:
> > 
> > I actually use ipfw for everything, I can;t see any real advantage to
> > ipfilter in a situation that we're using it for (some people know
> > where I work)
> > 
> > ipfilter has to be flushed and reloaded, I don;t have that luxury
> > 
> > ipfw I can add rules on the fly.
> 
> You can do that with ipfilter too.
> 
> In fact, ipfilter allows you to make complete ruleset changes, on the
> fly with 0 security risk (i.e. there is no gap of "half your rules
> being in place").
> 
> Even at bootup, you can go from "no rules, default = block" to
> "full ruleset" and not have any packets slip between the cracks
> as various lines get added to allow/deny things.
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

[-- Attachment #2 --]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35">
<TITLE>RE: ipf or ipfw (was: log with dynamic firewall rules)</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=2>It wouldn't work with ipf, period. IPF doesn't support bridging in FreeBSD 4, no? or is your bridging in reference to something else?</FONT></P>

<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Siobhan Patricia Lynch [<A HREF="mailto:trish@bsdunix.net">mailto:trish@bsdunix.net</A>]</FONT>
<BR><FONT SIZE=2>Sent: Thursday, July 27, 2000 11:31 AM</FONT>
<BR><FONT SIZE=2>To: Darren Reed</FONT>
<BR><FONT SIZE=2>Cc: Reinoud; Gerhard Sittig; freebsd-security@FreeBSD.ORG</FONT>
<BR><FONT SIZE=2>Subject: Re: ipf or ipfw (was: log with dynamic firewall rules)</FONT>
</P>
<BR>

<P><FONT SIZE=2>I'm not saying that ipf is bad, in fact, prior to keep-state and</FONT>
<BR><FONT SIZE=2>check-state in ipfw, I used ipf quite a bit.</FONT>
</P>

<P><FONT SIZE=2>again, *some* people here know who I work for, but the networking going</FONT>
<BR><FONT SIZE=2>into sites looks like this:</FONT>
</P>

<P><FONT SIZE=2>cisco (non-stateful) -&gt; freebsd bridging ipfw -&gt; arrowpoint web content</FONT>
<BR><FONT SIZE=2>switch -&gt; clusters</FONT>
</P>

<P><FONT SIZE=2>ipfw works quite well, but wouldn;t in this situation prior to freebsd 4.0</FONT>
</P>

<P><FONT SIZE=2>if theres something absolutely amazing in the next version if ipf that</FONT>
<BR><FONT SIZE=2>makes my life hella better at work, I'll use it ;)</FONT>
</P>

<P><FONT SIZE=2>as it is, I'm using OpenBSD/IPSec to tunnel and bridge packets from exodus</FONT>
<BR><FONT SIZE=2>to the office (well not quite yet, but we have the go ahead on that</FONT>
<BR><FONT SIZE=2>project) , which is irony, those who know who I am will agree ;)</FONT>
</P>

<P><FONT SIZE=2>-Trish</FONT>
</P>

<P><FONT SIZE=2>__</FONT>
</P>

<P><FONT SIZE=2>Trish Lynch</FONT>
<BR><FONT SIZE=2>FreeBSD - The Power to Serve &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; trish@bsdunix.net</FONT>
<BR><FONT SIZE=2>Rush Networking &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; trish@rush.net</FONT>
</P>

<P><FONT SIZE=2>On Thu, 27 Jul 2000, Darren Reed wrote:</FONT>
</P>

<P><FONT SIZE=2>&gt; In some mail from Siobhan Patricia Lynch, sie said:</FONT>
<BR><FONT SIZE=2>&gt; &gt; </FONT>
<BR><FONT SIZE=2>&gt; &gt; I actually use ipfw for everything, I can;t see any real advantage to</FONT>
<BR><FONT SIZE=2>&gt; &gt; ipfilter in a situation that we're using it for (some people know</FONT>
<BR><FONT SIZE=2>&gt; &gt; where I work)</FONT>
<BR><FONT SIZE=2>&gt; &gt; </FONT>
<BR><FONT SIZE=2>&gt; &gt; ipfilter has to be flushed and reloaded, I don;t have that luxury</FONT>
<BR><FONT SIZE=2>&gt; &gt; </FONT>
<BR><FONT SIZE=2>&gt; &gt; ipfw I can add rules on the fly.</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; You can do that with ipfilter too.</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; In fact, ipfilter allows you to make complete ruleset changes, on the</FONT>
<BR><FONT SIZE=2>&gt; fly with 0 security risk (i.e. there is no gap of &quot;half your rules</FONT>
<BR><FONT SIZE=2>&gt; being in place&quot;).</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; Even at bootup, you can go from &quot;no rules, default = block&quot; to</FONT>
<BR><FONT SIZE=2>&gt; &quot;full ruleset&quot; and not have any packets slip between the cracks</FONT>
<BR><FONT SIZE=2>&gt; as various lines get added to allow/deny things.</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; To Unsubscribe: send mail to majordomo@FreeBSD.org</FONT>
<BR><FONT SIZE=2>&gt; with &quot;unsubscribe freebsd-security&quot; in the body of the message</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=2>To Unsubscribe: send mail to majordomo@FreeBSD.org</FONT>
<BR><FONT SIZE=2>with &quot;unsubscribe freebsd-security&quot; in the body of the message</FONT>
</P>

</BODY>
</HTML>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?712384017032D411AD7B0001023D799B07CA70>