Date: Sun, 30 Jul 2000 23:58:51 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: "Jonathan M. Bresler" <jmb@hub.freebsd.org> Cc: mike@adept.org, stephen@math.missouri.edu, freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <20000730235851.B26209@184.215.6.64.reflexcom.com> In-Reply-To: <20000730192717.7C78237B717@hub.freebsd.org>; from jmb@hub.freebsd.org on Sun, Jul 30, 2000 at 12:27:17PM -0700 References: <Pine.BSF.4.21.0007251206530.27676-100000@snafu.adept.org> <20000730192717.7C78237B717@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 30, 2000 at 12:27:17PM -0700, Jonathan M. Bresler wrote: > > > > I came into this mess with mostly only PIX/FW1 experience... I'll admit > > some initial frustration when glancing over the man page, but after I > > decided to read it, word for word, and started toying with the examples, > > I've found ipfw's syntax/behavior to be (often) more appealing than the > > other products I use on a daily basis. > > > > -mrh > > one significant advantage of ipfw over FW1, aside from cost, > is that ipfw can test on which interface a packet arrives and/or > leaves. as far as i know, in FW1 its not possible to act upon packets > based upon which interface the packet hits. imagine wanting to screen > (spoofed) packets with the inside IP addresses arriving on the outside > interface. ;( IIRC, you can act on packets depending on the interface. However, you cannont access this functionality through that @#*% GUI policy manager; you need to hack the script that the GUI generates which FW-1 actually eats. Once again, a GUI being used where a GUI should not be used... yet the GUI is probably why FW-1 is so popular. Similar situation to a certain popular operating system. The uninitiated think is easier to admin because it has a GUI when, if anything, the GUI gets in the way of any experienced admin. To be nice, I won't mention the OS by name, but its initials are NT. -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000730235851.B26209>