Date: 27 Oct 2000 19:21:14 -0400 From: Lowell Gilbert <lowell@be-well.ilk.org> To: freebsd-stable@freebsd.org Subject: Re: ipfw security. Message-ID: <44d7gm8dm3.fsf@lowellg.ne.mediaone.net> In-Reply-To: feedback@phpStop.com's message of "27 Oct 2000 18:19:08 %2B0800" References: <8tbkqs$ki$1@FreeBSD.csie.NCTU.edu.tw>
next in thread | previous in thread | raw e-mail | index | archive | help
feedback@phpStop.com ("Stop here. Start everywhere.") writes:
> I thought I would spread this to the mailing list just in case no one
> knew about it, and ask whether ipfw does implement all of the mentioned
> requirements:
>
> ftp://ftp.isi.edu/in-notes/rfc2979.txt
>
> Well, does ipfw support all of it, and if not, what doesn't it support?
RFC 2979 is informational, not a standards-track document, and it puts
very few specific requirements on an implementation. It's more of a
set of design principles for deployment of firewalls than it is a set
of requirements for firewall software. Like nearly every other piece
of packet filtering code (at least, those that are remotely
configurable) I've ever seen, ipfw is perfectly capable of being used
in accordance with 2979, and perfectly capable of being configured to
violate its every stricture. 2979 is (in my opinion) a good starting
point for network administrators to learn what *not* to do with a
packet filter, but that's about all.
- Lowell Gilbert
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44d7gm8dm3.fsf>