From owner-freebsd-questions Sun Feb 25 10:10:49 2001 Delivered-To: freebsd-questions@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 94AFC37B4EC for ; Sun, 25 Feb 2001 10:10:45 -0800 (PST) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id TAA16790; Sun, 25 Feb 2001 19:10:36 +0100 (CET) (envelope-from roelof@eboa.com) Message-ID: <3A994A9C.6E5542EA@eboa.com> Date: Sun, 25 Feb 2001 19:10:36 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Duraid Cc: "freebsd-questions@FreeBSD.ORG" Subject: Re: netfilter in freebsd References: <3A977CB1.7EF85F24@home.com> <20010224144734.A23735@daemon.kingsqueak.org> <3A982EE9.6BB6F1BE@eboa.com> <3A97EB10.BA8E0293@home.com> <3A9838E9.D96506BF@eboa.com> <3A98FB62.C9F8DE38@home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Duraid wrote: > > Not really.. after lot's of digging through.. there is a major difference > between the two... ipfilter is a true statefull packet filter... that is it has > a state table that can keep track of every packet that you send using the 'keep > state' keyword. this way you can block anything that you didn't send. while ipfw > has the 'established' option but it doesn't use state table (memory) but only > decide upon seeing certain flags in the packet (ACT and maybe FIN) which anybody > can fake and pierce your firewall. From ipfw(8): If the ruleset includes one or more rules with the keep-state option, then ipfw assumes a stateful behaviour, i.e. upon a match will create dy- namic rules matching the exact parameters (addresses and ports) of the matching packet. These dynamic rules, which have a limited lifetime, are checked at the first occurrence of a check-state or keep-state rule, and are typically used to open the firewall on-demand to legitimate traffic only. See the RULE FORMAT and EXAMPLES sections below for more information on the stateful behaviour of ipfw. Maybe I'm missing something, but it sure looks like an in-memory table to me. Roelof PS I'm looking at a 4.2 manpage here. The 3.4 and earlier have indeed only the established option. Don't know about 3.5. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message