Date: Sun, 30 Jul 2000 22:13:04 +0200 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= <rguyom@321.net> To: freebsd-security@freebsd.org Subject: Re: Problems with natd and simple firewall Message-ID: <20000730221304.A275@diabolic-cow.321.net> In-Reply-To: <20000730192717.7C78237B717@hub.freebsd.org>; from jmb@hub.freebsd.org on Sun, Jul 30, 2000 at 12:27:17PM -0700 References: <Pine.BSF.4.21.0007251206530.27676-100000@snafu.adept.org> <20000730192717.7C78237B717@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 30, 2000 at 12:27:17PM -0700, Jonathan M. Bresler wrote: > > one significant advantage of ipfw over FW1, aside from cost, > is that ipfw can test on which interface a packet arrives and/or > leaves. as far as i know, in FW1 its not possible to act upon packets > based upon which interface the packet hits. imagine wanting to screen > (spoofed) packets with the inside IP addresses arriving on the outside > interface. ;( Anti-spoofing stuff on FW1 is done differently than other rules. And you can configure anti-spoofing on each interface. But there's something you can't do with FW1 : NAT'ing the same hosts / networks to different (public) adresses according to the external interface the packets cross. You have possible workarounds, but they are ugly. -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000730221304.A275>