From owner-freebsd-questions Mon Nov 19 14:56: 9 2001 Delivered-To: freebsd-questions@freebsd.org Received: from axel.truedestiny.net (b76168.upc-b.chello.nl [212.83.76.168]) by hub.freebsd.org (Postfix) with ESMTP id C7CA337B417 for ; Mon, 19 Nov 2001 14:56:05 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by axel.truedestiny.net (Postfix) with ESMTP id B134449A24; Mon, 19 Nov 2001 23:56:03 +0100 (CET) Received: by axel.truedestiny.net (Postfix, from userid 1000) id 3D5B549A23; Mon, 19 Nov 2001 23:56:01 +0100 (CET) Date: Mon, 19 Nov 2001 23:56:01 +0100 From: Axel Scheepers To: Walter Hop Cc: Chris Appleton , freebsd-questions@freebsd.org Subject: Re: NAT security Message-ID: <20011119235600.A1904@mars.thuis> Reply-To: Axel Scheepers References: <917DCA667947D4118E2100AA00BAEA6E1ABC06@vonneumann.emailtopia.com> <83141508858.20011119162408@binity.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <83141508858.20011119162408@binity.com>; from walter@binity.com on Mon, Nov 19, 2001 at 04:24:08PM +0100 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Nov 19, 2001 at 04:24:08PM +0100, Walter Hop wrote: > > I can setup ifpw to allow connections to these ip's but with > > essentially a restricted port/direction list? > > Yes, with ipfw you can specify exactly what traffic is allowed and > disallowed. ipfw acts on a gateway like on a normal host (allow this, > deny that, allow that, etc); ipfw rules are processed on the gateway > before and after packets are forwarded. Setting up ipfw rules for a > usual network situation is not that hard. > > > Would ipfilter allow me to do this as well? > > I have no experience with that (ipfw always did what I needed), maybe > someone else can add to the story... I use ipfilter/ipnat and like the way you can flush/edit the kernel filterlist and the possibility to create nice config files for it. As I see it ipfilter is a bit better handling large configurations. It also uses a technique which processes the whole ruleset which might be a bit confusing when you first start using it. My gateway/firewall is a simple 486-33/16MB, I used ipf & natd for a while but since these copy packets from kernel to userland, and ipfilter/ipnat don't, ipfilter gives _way_ more performance on a busy network. For home use I shouldn't care if I where you; if ipfw suits you and does 'your thing' use it. :) -- Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ Never count your chickens before they rip your lips off ------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message