From owner-freebsd-hackers Sun Aug 18 09:15:20 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA00307 for hackers-outgoing; Sun, 18 Aug 1996 09:15:20 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA00302 for ; Sun, 18 Aug 1996 09:15:18 -0700 (PDT) Received: from rover.village.org (localhost [127.0.0.1]) by rover.village.org (8.7.5/8.6.6) with ESMTP id KAA00454; Sun, 18 Aug 1996 10:15:05 -0600 (MDT) Message-Id: <199608181615.KAA00454@rover.village.org> To: Poul-Henning Kamp Subject: Re: ipfw vs ipfilter Cc: "Jordan K. Hubbard" , "Ugen J.S.Antsilevich" , hackers@FreeBSD.ORG In-reply-to: Your message of Wed, 14 Aug 1996 16:54:59 +0200 Date: Sun, 18 Aug 1996 10:15:05 -0600 From: Warner Losh Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk : The only think I have against ditching ipfw and replacing with ipfilter : is that the later is getting to big for comfort. One of our paranoid villagers recently did a code review on ipfw. He said it was OK, but found a couple of problems. Specifically, the code lacked comments, there was a bug in the IP header fragment discarding code (if the offset was one, it would discard the fragment, but not when it was 2, it should properly discard the fragment for all offsets > 0 < the size of the headers), it assumed that the user *REALLY* knew what they were doing with the ipfw command and didn't check any sanity on that (this may be the ipfw <-> kernel interface, he wasn't clear in his mail to me). He preferred ipfw to ipfilter (which we've been using for a long time) because ipfw was easier to verify than ipfilter because ipfilter has added too many bells and whistles for his confort. He has not tried to setup a FreeBSD firewall based on ipfw at this time, so it could be as horrible as Jordan contends. That's the next step.... More on that when it happens. Warner