Date: Tue, 28 Jan 2003 16:03:32 -0500 From: Steve Shorter <steve@nomad.lets.net> To: theob@za.uu.net Cc: freebsd-security@freebsd.org Subject: Re: The way forward....... Message-ID: <20030128160332.A79276@nomad.lets.net> In-Reply-To: <20030127073039.U1537@woody.ops.uunet.co.za>; from theob@za.uu.net on Mon, Jan 27, 2003 at 08:06:17AM %2B0200 References: <20030127073039.U1537@woody.ops.uunet.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 27, 2003 at 08:06:17AM +0200, theob@za.uu.net wrote: > > So then is it safe to assume that ipfilter is the best choice for > statefulness? > Depends on how you wish to evaluate them. > There is also mention that one would have a lot more functionality by using > ipfw and adding stateful arguments to the rule sets, is this true? > Depending on what you want you can have both at the same time. > While ipfw may not be a true stateful firewall, one can still add in the > functionality and therefore be able to set up and very secure firewall, but > how secure would it be against a firewall based on the ipfilter way? [snip] > > I guess what I'm trying to say is, on an average what do most people use? > My feel is that ipfilter is the way to go, however since ipfw is FreeBSD > specific then running a firewall on FreeBSD one should aim at ipfw as > apposed to ipfilter...... > Well .. I've got a dedicated FreeBSD router/firewall up front with ipfw *AND ipfilter compiled in. IPfilter does full stateful filtering and NAT. ipfw doesn't do anything except occassionaly some "emergency" or diagnostic stuff that IPFilter cant do. ipfw is compiled default "accept" and ipf is built with default "deny". The above machine is a gateway for a network of web/mail servers running FreeBSD also. On the internal machines I am running just ipfw in stateless mode only. So this way I get 2 layer "onion" firewall/packet management. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030128160332.A79276>