From owner-freebsd-security Sun Jul 30 14: 8:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.cluster.oleane.net (smtp2.cluster.oleane.net [195.25.12.17]) by hub.freebsd.org (Postfix) with ESMTP id 09C6737B7AB for ; Sun, 30 Jul 2000 14:08:53 -0700 (PDT) (envelope-from rguyom@321.net) Received: from diabolic-cow.321.net (dyn-1-1-024.Orl.dialup.oleane.fr [195.25.26.24]) by smtp2.cluster.oleane.net with ESMTP id XAA46232 for ; Sun, 30 Jul 2000 23:10:07 +0200 (CEST) Received: by diabolic-cow.321.net (Postfix, from userid 1000) id 16F99114; Sun, 30 Jul 2000 22:13:04 +0200 (CEST) Date: Sun, 30 Jul 2000 22:13:04 +0200 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: freebsd-security@freebsd.org Subject: Re: Problems with natd and simple firewall Message-ID: <20000730221304.A275@diabolic-cow.321.net> References: <20000730192717.7C78237B717@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20000730192717.7C78237B717@hub.freebsd.org>; from jmb@hub.freebsd.org on Sun, Jul 30, 2000 at 12:27:17PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jul 30, 2000 at 12:27:17PM -0700, Jonathan M. Bresler wrote: > > one significant advantage of ipfw over FW1, aside from cost, > is that ipfw can test on which interface a packet arrives and/or > leaves. as far as i know, in FW1 its not possible to act upon packets > based upon which interface the packet hits. imagine wanting to screen > (spoofed) packets with the inside IP addresses arriving on the outside > interface. ;( Anti-spoofing stuff on FW1 is done differently than other rules. And you can configure anti-spoofing on each interface. But there's something you can't do with FW1 : NAT'ing the same hosts / networks to different (public) adresses according to the external interface the packets cross. You have possible workarounds, but they are ugly. -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message