From owner-freebsd-security Sun Jul 30 15: 9:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 3A36837B67E; Sun, 30 Jul 2000 15:09:16 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id IAA29605; Mon, 31 Jul 2000 08:09:06 +1000 (EST) From: Darren Reed Message-Id: <200007302209.IAA29605@cairo.anu.edu.au> Subject: Re: Problems with natd and simple firewall In-Reply-To: <20000730192717.7C78237B717@hub.freebsd.org> from "Jonathan M. Bresler" at "Jul 30, 0 12:27:17 pm" To: jmb@hub.freebsd.org (Jonathan M. Bresler) Date: Mon, 31 Jul 2000 08:09:06 +1000 (EST) Cc: mike@adept.org, stephen@math.missouri.edu, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jonathan M. Bresler, sie said: > > > > I came into this mess with mostly only PIX/FW1 experience... I'll admit > > some initial frustration when glancing over the man page, but after I > > decided to read it, word for word, and started toying with the examples, > > I've found ipfw's syntax/behavior to be (often) more appealing than the > > other products I use on a daily basis. > > > > -mrh > > one significant advantage of ipfw over FW1, aside from cost, > is that ipfw can test on which interface a packet arrives and/or > leaves. as far as i know, in FW1 its not possible to act upon packets > based upon which interface the packet hits. imagine wanting to screen > (spoofed) packets with the inside IP addresses arriving on the outside > interface. ;( If you're using FW-1 on Solaris, you can use IP Filter to do filtering before FW-1 in case you don't trust FW-1 :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message