Date: Sat, 9 Aug 2003 20:29:44 +0900 From: "Jesse" <jesse@206underground.net> To: chris@redstarnetworks.net Cc: security@freebsd.org Subject: RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] Message-ID: <20030809202944.M87994@206underground.net> In-Reply-To: <000d01c35e99$8ce83020$0b05a8c0@delllaptop> References: <20030809153213.GA2391@dali.cs.wm.edu> <000d01c35e99$8ce83020$0b05a8c0@delllaptop>
next in thread | previous in thread | raw e-mail | index | archive | help
\I bought a computer > mainly as a way to ignore my wife, now im not sure what is worse - Your > bitching or hers? Thank you for injecting some rare humor into what is usually/supposedly an otherwise quiet, boring list ;P > > Chris Odell > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Zvezdan > Petkovic > Sent: Saturday, August 09, 2003 8:32 AM > To: freebsd-security@freebsd.org > Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] > > On Fri, Aug 08, 2003 at 06:49:48PM -0400, Peter C. Lai wrote: > > What are you meaning by "native"? They both exist as part of the base > > FreeBSD kernel; so in that sense, both ipf and ipfw are "native" to > > FreeBSD. > > Notice that I said "AFAIK" in the original message below. But let me > elaborate. > > I had in mind this sentence from FreeBSD Handbook, Section 10.7.1 > > "FreeBSD comes with a kernel packet filter (known as IPFW), > which is what the rest of this section will concentrate on." > > The handbook does _not_ talk about IPF. > > Also, this document > > http://www.freebsd.org/news/status/report-may-2002-june-2002.html > says (notice the word "native" in the first sentence, please): > > "In summer 2002 the native FreeBSD firewall has been completely > rewritten in a form that uses BPF-like instructions to perform > packet matching in a more effective way. The external user > interface is completely backward compatible, though you can make > use of some newer match patterns (e.g. to handle sparse sets of > IP addresses) which can dramatically simplify the writing of > ruleset (and speed up their processing). The new firewall, > called ipfw2, is much faster and easier to extend than the old > one. It has been already included in FreeBSD-CURRENT, and > patches for FreeBSD-STABLE are available from the author." > > I rest my case. > > > I don't see how this argument is appropriate for choosing one over the > > > other anyway. > > That was exactly my point. Chris Odell admonished the original > poster for using IPFW stating that IPF is native to *BSD. I simply > wanted to point out that is not the exact state of affairs. > > > > > On Thu, Aug 07, 2003 at 06:22:55PM -0400, Zvezdan Petkovic wrote: > > > On Thu, Aug 07, 2003 at 01:59:27PM -0700, Chris Odell wrote: > > > > > > > > But why IPFW? IPF is *BSD native wall. I actually use both - IPF > > > > for firewalling, and IPFW for throttling via dummy net. My > > > > recommended reading for IPF and IPFW is "Building Linux and > > > > OpenBSD Firewalls"... > > > > > > Where did you get this information? > > > > > > Native firewall for FreeBSD is ipfw, AFAIK. It's even used on OS X > > > as a native firewall, due to Darwin's FreeBSD roots. > > > > > > Also, OpenBSD stopped using ipf four releases ago. The native > > > firewall for OpenBSD is pf. pf inherited much of the syntax from > > > ipf, but also extended it and added some features. > > > > > > That said, I personally find ipf quite a good stateful firewall and > > > its syntax can feel more natural than ipfw syntax. It also works on > > > > Solaris and other OS's besides *BSDs. > > Best regards, > -- > Zvezdan Petkovic <zvezdan@cs.wm.edu> http://www.cs.wm.edu/~zvezdan/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ------- End of Original Message -------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030809202944.M87994>