From owner-freebsd-security@FreeBSD.ORG Sat Aug 9 20:30:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0412D37B411 for ; Sat, 9 Aug 2003 20:30:10 -0700 (PDT) Received: from zim.sifl.net (zim.sifl.net [207.246.130.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6871F43FBD for ; Sat, 9 Aug 2003 20:29:59 -0700 (PDT) (envelope-from jesse@206underground.net) Received: from 206underground.net (localhost [127.0.0.1]) by zim.sifl.net (8.12.8/8.12.6) with ESMTP id h7A3Tn21098426; Sat, 9 Aug 2003 20:29:49 -0700 (PDT) (envelope-from jesse@206underground.net) From: "Jesse" To: chris@redstarnetworks.net Date: Sat, 9 Aug 2003 20:29:44 +0900 Message-Id: <20030809202944.M87994@206underground.net> In-Reply-To: <000d01c35e99$8ce83020$0b05a8c0@delllaptop> References: <20030809153213.GA2391@dali.cs.wm.edu> <000d01c35e99$8ce83020$0b05a8c0@delllaptop> X-Mailer: Open WebMail 1.64 20020415 X-OriginatingIP: 12.228.120.117 (jesse) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 cc: security@freebsd.org Subject: RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Aug 2003 03:30:10 -0000 \I bought a computer > mainly as a way to ignore my wife, now im not sure what is worse - Your > bitching or hers? Thank you for injecting some rare humor into what is usually/supposedly an otherwise quiet, boring list ;P > > Chris Odell > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Zvezdan > Petkovic > Sent: Saturday, August 09, 2003 8:32 AM > To: freebsd-security@freebsd.org > Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] > > On Fri, Aug 08, 2003 at 06:49:48PM -0400, Peter C. Lai wrote: > > What are you meaning by "native"? They both exist as part of the base > > FreeBSD kernel; so in that sense, both ipf and ipfw are "native" to > > FreeBSD. > > Notice that I said "AFAIK" in the original message below. But let me > elaborate. > > I had in mind this sentence from FreeBSD Handbook, Section 10.7.1 > > "FreeBSD comes with a kernel packet filter (known as IPFW), > which is what the rest of this section will concentrate on." > > The handbook does _not_ talk about IPF. > > Also, this document > > http://www.freebsd.org/news/status/report-may-2002-june-2002.html > says (notice the word "native" in the first sentence, please): > > "In summer 2002 the native FreeBSD firewall has been completely > rewritten in a form that uses BPF-like instructions to perform > packet matching in a more effective way. The external user > interface is completely backward compatible, though you can make > use of some newer match patterns (e.g. to handle sparse sets of > IP addresses) which can dramatically simplify the writing of > ruleset (and speed up their processing). The new firewall, > called ipfw2, is much faster and easier to extend than the old > one. It has been already included in FreeBSD-CURRENT, and > patches for FreeBSD-STABLE are available from the author." > > I rest my case. > > > I don't see how this argument is appropriate for choosing one over the > > > other anyway. > > That was exactly my point. Chris Odell admonished the original > poster for using IPFW stating that IPF is native to *BSD. I simply > wanted to point out that is not the exact state of affairs. > > > > > On Thu, Aug 07, 2003 at 06:22:55PM -0400, Zvezdan Petkovic wrote: > > > On Thu, Aug 07, 2003 at 01:59:27PM -0700, Chris Odell wrote: > > > > > > > > But why IPFW? IPF is *BSD native wall. I actually use both - IPF > > > > for firewalling, and IPFW for throttling via dummy net. My > > > > recommended reading for IPF and IPFW is "Building Linux and > > > > OpenBSD Firewalls"... > > > > > > Where did you get this information? > > > > > > Native firewall for FreeBSD is ipfw, AFAIK. It's even used on OS X > > > as a native firewall, due to Darwin's FreeBSD roots. > > > > > > Also, OpenBSD stopped using ipf four releases ago. The native > > > firewall for OpenBSD is pf. pf inherited much of the syntax from > > > ipf, but also extended it and added some features. > > > > > > That said, I personally find ipf quite a good stateful firewall and > > > its syntax can feel more natural than ipfw syntax. It also works on > > > > Solaris and other OS's besides *BSDs. > > Best regards, > -- > Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ------- End of Original Message -------