Date: Tue, 29 Jun 1999 07:25:06 -1000 From: "Art Neilson, KH7PZ" <art@hawaii.rr.com> To: junkmale@xtra.co.nz Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfilter vs ipfw (was Re: tcp_wrappers) Message-ID: <3.0.6.32.19990629072506.03085c60@clients1.hawaii.rr.com> In-Reply-To: <19990629090654.GLCL112692.mta2-rme@wocker> References: <3.0.6.32.19990628190217.032dd6b0@clients1.hawaii.rr.com> <19990627230044.HINL1400.mta2-rme@wocker>
next in thread | previous in thread | raw e-mail | index | archive | help
OK ipfilter does indeed look robust!! Looks like it can do both natd and ipfw's job!! I have been slowly hardening my system with wrappers and ipfw, is ipfilter a complete replacement for ipfw? I'll have to look closely and compare the two. Does it make sense given ipfilters capabilities to have both options IPFILTER and options IPFIREWALL in the kernel at the same time? Do I still need options IPDIVERT in order to use ipfilter's nat ? I know natd needs it. At 09:04 PM 6/29/99 +1200, you wrote: >On 28 Jun 99, at 19:02, Art Neilson, KH7PZ wrote: > >> OK so Dan, while looking around on the website you mentioned I >> found a section regarding ipnat. >> >> http://www.freebsddiary.org/freebsd/ipnat.htm >> >> This page describes how to do NAT via the ipfilter kernel module >> or LKM. How does this differ from using natd? Other than maybe >> performance? Do you gain any features or other benefits by using >> ipfilter nat vs. natd nat? I'm currently using natd so am interested >> if the ipfilter method is better. > >I, personally, think ipfilter (ipf) is a much more robust product. I have >no proof of that. Merely anecdotes from those that use ipf. One feature >within ipf that I think is worth mentioning is the rule group. This is a >great short-hand way of ensuring that rules stick together where they >should stick together. For example, the following is my first couple of >rules: > >block in log on ed0 all head 100 >block out log on ed0 all head 150 > >This effectively blocks all traffic on ed0. Later on you see stuff like >this: > >pass in quick proto tcp from any to any port = www keep state group 100 >pass in quick proto tcp from any to any port = telnet keep state group 100 >pass in quick proto tcp from any to any port = ssh keep state group 100 >pass in quick proto tcp/udp from any to any port = domain keep state group >100 > >All of these relate to traffic coming in on ed0. Similary, the following >stops stops those private addresses from coming in on ed0: > ># ># Deny reserved addresses. ># > >block in log quick from 10.0.0.0/8 to any group 100 >block in log quick from 192.168.0.0/16 to any group 100 >block in log quick from 172.16.0.0/12 to any group 100 > >Perhaps others with more technical knowledge of ipf can jump in here and >tell you move about that. > > >-- >Dan Langille - DVL Software Limited >The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ >NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ >The Racing System - http://www.racingsystem.com/racingsystem.htm > __ / ) _/_ It is a capital mistake to theorise before one has data. /--/ __ / Insensibly one begins to twist facts to suit theories, / (_/ (_<__ Instead of theories to suit facts. -- Sherlock Holmes, "A Scandal in Bohemia" Arthur W. Neilson III, KH7PZ Bank of Hawaii Tech Support art@hawaii.rr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.6.32.19990629072506.03085c60>