Date: Thu, 27 Jul 2000 11:43:37 -0400 From: Nick Evans <nevans@nextvenue.com> To: 'Siobhan Patricia Lynch' <trish@bsdunix.net> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org> Subject: RE: ipf or ipfw (was: log with dynamic firewall rules) Message-ID: <712384017032D411AD7B0001023D799B07CA70@sn1exchmbx.nextvenue.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF7E1.6E2983E0 Content-Type: text/plain; charset="iso-8859-1" It wouldn't work with ipf, period. IPF doesn't support bridging in FreeBSD 4, no? or is your bridging in reference to something else? -----Original Message----- From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net] Sent: Thursday, July 27, 2000 11:31 AM To: Darren Reed Cc: Reinoud; Gerhard Sittig; freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) I'm not saying that ipf is bad, in fact, prior to keep-state and check-state in ipfw, I used ipf quite a bit. again, *some* people here know who I work for, but the networking going into sites looks like this: cisco (non-stateful) -> freebsd bridging ipfw -> arrowpoint web content switch -> clusters ipfw works quite well, but wouldn;t in this situation prior to freebsd 4.0 if theres something absolutely amazing in the next version if ipf that makes my life hella better at work, I'll use it ;) as it is, I'm using OpenBSD/IPSec to tunnel and bridge packets from exodus to the office (well not quite yet, but we have the go ahead on that project) , which is irony, those who know who I am will agree ;) -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Thu, 27 Jul 2000, Darren Reed wrote: > In some mail from Siobhan Patricia Lynch, sie said: > > > > I actually use ipfw for everything, I can;t see any real advantage to > > ipfilter in a situation that we're using it for (some people know > > where I work) > > > > ipfilter has to be flushed and reloaded, I don;t have that luxury > > > > ipfw I can add rules on the fly. > > You can do that with ipfilter too. > > In fact, ipfilter allows you to make complete ruleset changes, on the > fly with 0 security risk (i.e. there is no gap of "half your rules > being in place"). > > Even at bootup, you can go from "no rules, default = block" to > "full ruleset" and not have any packets slip between the cracks > as various lines get added to allow/deny things. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_001_01BFF7E1.6E2983E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: ipf or ipfw (was: log with dynamic firewall rules)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>It wouldn't work with ipf, period. IPF doesn't = support bridging in FreeBSD 4, no? or is your bridging in reference to = something else?</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Siobhan Patricia Lynch [<A = HREF=3D"mailto:trish@bsdunix.net">mailto:trish@bsdunix.net</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Thursday, July 27, 2000 11:31 AM</FONT> <BR><FONT SIZE=3D2>To: Darren Reed</FONT> <BR><FONT SIZE=3D2>Cc: Reinoud; Gerhard Sittig; = freebsd-security@FreeBSD.ORG</FONT> <BR><FONT SIZE=3D2>Subject: Re: ipf or ipfw (was: log with dynamic = firewall rules)</FONT> </P> <BR> <P><FONT SIZE=3D2>I'm not saying that ipf is bad, in fact, prior to = keep-state and</FONT> <BR><FONT SIZE=3D2>check-state in ipfw, I used ipf quite a bit.</FONT> </P> <P><FONT SIZE=3D2>again, *some* people here know who I work for, but = the networking going</FONT> <BR><FONT SIZE=3D2>into sites looks like this:</FONT> </P> <P><FONT SIZE=3D2>cisco (non-stateful) -> freebsd bridging ipfw = -> arrowpoint web content</FONT> <BR><FONT SIZE=3D2>switch -> clusters</FONT> </P> <P><FONT SIZE=3D2>ipfw works quite well, but wouldn;t in this situation = prior to freebsd 4.0</FONT> </P> <P><FONT SIZE=3D2>if theres something absolutely amazing in the next = version if ipf that</FONT> <BR><FONT SIZE=3D2>makes my life hella better at work, I'll use it = ;)</FONT> </P> <P><FONT SIZE=3D2>as it is, I'm using OpenBSD/IPSec to tunnel and = bridge packets from exodus</FONT> <BR><FONT SIZE=3D2>to the office (well not quite yet, but we have the = go ahead on that</FONT> <BR><FONT SIZE=3D2>project) , which is irony, those who know who I am = will agree ;)</FONT> </P> <P><FONT SIZE=3D2>-Trish</FONT> </P> <P><FONT SIZE=3D2>__</FONT> </P> <P><FONT SIZE=3D2>Trish Lynch</FONT> <BR><FONT SIZE=3D2>FreeBSD - The Power to Serve = trish@bsdunix.net</FONT> <BR><FONT SIZE=3D2>Rush Networking = = = trish@rush.net</FONT> </P> <P><FONT SIZE=3D2>On Thu, 27 Jul 2000, Darren Reed wrote:</FONT> </P> <P><FONT SIZE=3D2>> In some mail from Siobhan Patricia Lynch, sie = said:</FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > I actually use ipfw for everything, I = can;t see any real advantage to</FONT> <BR><FONT SIZE=3D2>> > ipfilter in a situation that we're using = it for (some people know</FONT> <BR><FONT SIZE=3D2>> > where I work)</FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > ipfilter has to be flushed and reloaded, I = don;t have that luxury</FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > ipfw I can add rules on the fly.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> You can do that with ipfilter too.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> In fact, ipfilter allows you to make complete = ruleset changes, on the</FONT> <BR><FONT SIZE=3D2>> fly with 0 security risk (i.e. there is no gap = of "half your rules</FONT> <BR><FONT SIZE=3D2>> being in place").</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Even at bootup, you can go from "no rules, = default =3D block" to</FONT> <BR><FONT SIZE=3D2>> "full ruleset" and not have any = packets slip between the cracks</FONT> <BR><FONT SIZE=3D2>> as various lines get added to allow/deny = things.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> To Unsubscribe: send mail to = majordomo@FreeBSD.org</FONT> <BR><FONT SIZE=3D2>> with "unsubscribe freebsd-security" = in the body of the message</FONT> <BR><FONT SIZE=3D2>> </FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>To Unsubscribe: send mail to = majordomo@FreeBSD.org</FONT> <BR><FONT SIZE=3D2>with "unsubscribe freebsd-security" in the = body of the message</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF7E1.6E2983E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?712384017032D411AD7B0001023D799B07CA70>