Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 Nov 2001 23:56:01 +0100
From:      Axel Scheepers <axel@axel.truedestiny.net>
To:        Walter Hop <walter@binity.com>
Cc:        Chris Appleton <cappleton@emailtopia.com>, freebsd-questions@freebsd.org
Subject:   Re: NAT security
Message-ID:  <20011119235600.A1904@mars.thuis>
In-Reply-To: <83141508858.20011119162408@binity.com>; from walter@binity.com on Mon, Nov 19, 2001 at 04:24:08PM %2B0100
References:  <917DCA667947D4118E2100AA00BAEA6E1ABC06@vonneumann.emailtopia.com> <83141508858.20011119162408@binity.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 19, 2001 at 04:24:08PM +0100, Walter Hop wrote:
> > I can setup ifpw to allow connections to these ip's but with
> > essentially a restricted port/direction list?
> 
> Yes, with ipfw you can specify exactly what traffic is allowed and
> disallowed. ipfw acts on a gateway like on a normal host (allow this,
> deny that, allow that, etc); ipfw rules are processed on the gateway
> before and after packets are forwarded. Setting up ipfw rules for a
> usual network situation is not that hard.
> 
> > Would ipfilter allow me to do this as well?
> 
> I have no experience with that (ipfw always did what I needed), maybe
> someone else can add to the story...

I use ipfilter/ipnat and like the way you can flush/edit the kernel filterlist 
and the possibility to create nice config files for it. As I see it ipfilter is
a bit better handling large configurations. 
It also uses a technique which processes the whole ruleset which might be a 
bit confusing when you first start using it.
My gateway/firewall is a simple 486-33/16MB, I used ipf & natd for a while
but since these copy packets from kernel to userland, and ipfilter/ipnat don't,
ipfilter gives _way_ more performance on a busy network.
For home use I shouldn't care if I where you; if ipfw suits you and does 'your
thing' use it. :)

-- 
Axel Scheepers
UNIX System Administrator

email: axel@axel.truedestiny.net
       ascheepers@vianetworks.nl
http://axel.truedestiny.net/~axel
------------------------------------------
Never count your chickens before they rip your lips off
------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011119235600.A1904>