From owner-freebsd-security Tue Jan 28 13: 9:27 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D3CB37B401 for ; Tue, 28 Jan 2003 13:09:23 -0800 (PST) Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C6ED43E4A for ; Tue, 28 Jan 2003 13:09:22 -0800 (PST) (envelope-from steve@nomad.tor.lets.net) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 4E5414B7D4C for ; Tue, 28 Jan 2003 16:09:11 -0500 (EST) Received: (qmail 79284 invoked by uid 1001); 28 Jan 2003 21:03:32 -0000 Date: Tue, 28 Jan 2003 16:03:32 -0500 From: Steve Shorter To: theob@za.uu.net Cc: freebsd-security@freebsd.org Subject: Re: The way forward....... Message-ID: <20030128160332.A79276@nomad.lets.net> References: <20030127073039.U1537@woody.ops.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20030127073039.U1537@woody.ops.uunet.co.za>; from theob@za.uu.net on Mon, Jan 27, 2003 at 08:06:17AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 27, 2003 at 08:06:17AM +0200, theob@za.uu.net wrote: > > So then is it safe to assume that ipfilter is the best choice for > statefulness? > Depends on how you wish to evaluate them. > There is also mention that one would have a lot more functionality by using > ipfw and adding stateful arguments to the rule sets, is this true? > Depending on what you want you can have both at the same time. > While ipfw may not be a true stateful firewall, one can still add in the > functionality and therefore be able to set up and very secure firewall, but > how secure would it be against a firewall based on the ipfilter way? [snip] > > I guess what I'm trying to say is, on an average what do most people use? > My feel is that ipfilter is the way to go, however since ipfw is FreeBSD > specific then running a firewall on FreeBSD one should aim at ipfw as > apposed to ipfilter...... > Well .. I've got a dedicated FreeBSD router/firewall up front with ipfw *AND ipfilter compiled in. IPfilter does full stateful filtering and NAT. ipfw doesn't do anything except occassionaly some "emergency" or diagnostic stuff that IPFilter cant do. ipfw is compiled default "accept" and ipf is built with default "deny". The above machine is a gateway for a network of web/mail servers running FreeBSD also. On the internal machines I am running just ipfw in stateless mode only. So this way I get 2 layer "onion" firewall/packet management. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message