From owner-freebsd-security@FreeBSD.ORG Sat Aug 9 10:19:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDF5637B401 for ; Sat, 9 Aug 2003 10:18:59 -0700 (PDT) Received: from 100m.mpr200-1.esr.lvcm.net (100m.mpr200-1.esr.lvcm.net [24.234.0.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C9C843F85 for ; Sat, 9 Aug 2003 10:18:59 -0700 (PDT) (envelope-from chris@redstarnetworks.net) Received: from delllaptop (ip68-108-123-213.lv.lv.cox.net [68.108.123.213]) by 100m.mpr200-1.esr.lvcm.net (Mirapoint Messaging Server MOS 2.9.3.5) with ESMTP id BBV06077; Sat, 9 Aug 2003 10:18:57 -0700 (PDT) From: "Chris Odell" To: "'Zvezdan Petkovic'" , Date: Sat, 9 Aug 2003 10:13:27 -0700 Organization: Red Star Networks, INC Message-ID: <000d01c35e99$8ce83020$0b05a8c0@delllaptop> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <20030809153213.GA2391@dali.cs.wm.edu> Importance: Normal Subject: RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: chris@redstarnetworks.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Aug 2003 17:19:00 -0000 I AM WRONG..... I AM VERY SORRY..... I cant believe it takes fifty different people to bash me, as I think I tucked my tail between my legs after the first time being told I was wrong. I accepted it and didn't argue, so now I think the rest of you people should give up on it now. You have proved your point, now get off me. I bought a computer mainly as a way to ignore my wife, now im not sure what is worse - Your bitching or hers? Chris Odell -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Zvezdan Petkovic Sent: Saturday, August 09, 2003 8:32 AM To: freebsd-security@freebsd.org Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] On Fri, Aug 08, 2003 at 06:49:48PM -0400, Peter C. Lai wrote: > What are you meaning by "native"? They both exist as part of the base > FreeBSD kernel; so in that sense, both ipf and ipfw are "native" to > FreeBSD. Notice that I said "AFAIK" in the original message below. But let me elaborate. I had in mind this sentence from FreeBSD Handbook, Section 10.7.1 "FreeBSD comes with a kernel packet filter (known as IPFW), which is what the rest of this section will concentrate on." The handbook does _not_ talk about IPF. Also, this document http://www.freebsd.org/news/status/report-may-2002-june-2002.html says (notice the word "native" in the first sentence, please): "In summer 2002 the native FreeBSD firewall has been completely rewritten in a form that uses BPF-like instructions to perform packet matching in a more effective way. The external user interface is completely backward compatible, though you can make use of some newer match patterns (e.g. to handle sparse sets of IP addresses) which can dramatically simplify the writing of ruleset (and speed up their processing). The new firewall, called ipfw2, is much faster and easier to extend than the old one. It has been already included in FreeBSD-CURRENT, and patches for FreeBSD-STABLE are available from the author." I rest my case. > I don't see how this argument is appropriate for choosing one over the > other anyway. That was exactly my point. Chris Odell admonished the original poster for using IPFW stating that IPF is native to *BSD. I simply wanted to point out that is not the exact state of affairs. > > On Thu, Aug 07, 2003 at 06:22:55PM -0400, Zvezdan Petkovic wrote: > > On Thu, Aug 07, 2003 at 01:59:27PM -0700, Chris Odell wrote: > > > > > > But why IPFW? IPF is *BSD native wall. I actually use both - IPF > > > for firewalling, and IPFW for throttling via dummy net. My > > > recommended reading for IPF and IPFW is "Building Linux and > > > OpenBSD Firewalls"... > > > > Where did you get this information? > > > > Native firewall for FreeBSD is ipfw, AFAIK. It's even used on OS X > > as a native firewall, due to Darwin's FreeBSD roots. > > > > Also, OpenBSD stopped using ipf four releases ago. The native > > firewall for OpenBSD is pf. pf inherited much of the syntax from > > ipf, but also extended it and added some features. > > > > That said, I personally find ipf quite a good stateful firewall and > > its syntax can feel more natural than ipfw syntax. It also works on > > Solaris and other OS's besides *BSDs. Best regards, -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"