From owner-freebsd-hackers Mon Aug 19 01:33:20 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA27207 for hackers-outgoing; Mon, 19 Aug 1996 01:33:20 -0700 (PDT) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA27199 for ; Mon, 19 Aug 1996 01:33:14 -0700 (PDT) Received: (from danny@localhost) by panda.hilink.com.au (8.7.5/8.7.3) id SAA14457; Mon, 19 Aug 1996 18:33:12 +1000 (EST) Date: Mon, 19 Aug 1996 18:33:11 +1000 (EST) From: "Daniel O'Callaghan" To: hackers@freebsd.org Subject: Re: ipfw vs ipfilter In-Reply-To: <7036.840432968@critter.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 19 Aug 1996, Poul-Henning Kamp wrote: > >IP Filter has its own set of regression tests, which you can verify yourself > >and then against a test run, if you like. Not to mention that this has > >helped find bugs. Both rule parsing and rule processing are tested for > >correctness. This is seen in neither ipfw or ipfwadm for FreeBSD/Linux. > >In a security concious world, how can you not want to be sure of something > >like this ? > > Uhm, aren't people overlooking the obvious here: We can have both, > and the user can choose. That was my hope at least. Seemed obvious to me from the start, especially since the 'hook' code for ipfilter is relatively small, and ipfilter and ipfw are enabled by different kernel options. Still, I thought Jordan was looking to standardize on a single filter. Maybe for 2.1.6 (or whatever is turns out to be :-)) the ipfilter hooks could be left in the kernel, and the lkm, man pages and utilities made into a package. Or, someone could make the FreeBSD installation notes that Darren packages a little more clear. I did it all last week, so I guess I'm an obvious choice to do that. Heck, I'll do it now. Danny