From owner-freebsd-security Sun Jul 30 23:59: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 694A137B94F for ; Sun, 30 Jul 2000 23:58:53 -0700 (PDT) (envelope-from cjc@184.215.6.64.reflexcom.com) Received: from 184.215.6.64.reflexcom.com ([64.6.215.184]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 30 Jul 2000 23:57:54 -0700 Received: (from cjc@localhost) by 184.215.6.64.reflexcom.com (8.9.3/8.9.3) id XAA28887; Sun, 30 Jul 2000 23:58:51 -0700 (PDT) (envelope-from cjc) Date: Sun, 30 Jul 2000 23:58:51 -0700 From: "Crist J . Clark" To: "Jonathan M. Bresler" Cc: mike@adept.org, stephen@math.missouri.edu, freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <20000730235851.B26209@184.215.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20000730192717.7C78237B717@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000730192717.7C78237B717@hub.freebsd.org>; from jmb@hub.freebsd.org on Sun, Jul 30, 2000 at 12:27:17PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jul 30, 2000 at 12:27:17PM -0700, Jonathan M. Bresler wrote: > > > > I came into this mess with mostly only PIX/FW1 experience... I'll admit > > some initial frustration when glancing over the man page, but after I > > decided to read it, word for word, and started toying with the examples, > > I've found ipfw's syntax/behavior to be (often) more appealing than the > > other products I use on a daily basis. > > > > -mrh > > one significant advantage of ipfw over FW1, aside from cost, > is that ipfw can test on which interface a packet arrives and/or > leaves. as far as i know, in FW1 its not possible to act upon packets > based upon which interface the packet hits. imagine wanting to screen > (spoofed) packets with the inside IP addresses arriving on the outside > interface. ;( IIRC, you can act on packets depending on the interface. However, you cannont access this functionality through that @#*% GUI policy manager; you need to hack the script that the GUI generates which FW-1 actually eats. Once again, a GUI being used where a GUI should not be used... yet the GUI is probably why FW-1 is so popular. Similar situation to a certain popular operating system. The uninitiated think is easier to admin because it has a GUI when, if anything, the GUI gets in the way of any experienced admin. To be nice, I won't mention the OS by name, but its initials are NT. -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message