Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 2 Feb 2003 13:26:24 -0500
From:      "JoeB" <barbish@a1poweruser.com>
To:        <petre@kgb.ro>, <freebsd-questions@freebsd.org>
Subject:   RE: ipfw firewall questions
Message-ID:  <MIEPLLIBMLEEABPDBIEGIECJDFAA.barbish@a1poweruser.com>
In-Reply-To: <200302021150.52576.petre@kgb.ro>

next in thread | previous in thread | raw e-mail | index | archive | help
There are 3 classes of rules in IPFW, each class has separate packet
interrogation abilities. Each proceeding class has greater packet
interrogation abilities than the previous one. These are stateless,
simple stateful, and advanced stateful. The advanced stateful rule
class is the only class having technically advanced interrogation
abilities capable of defending against the flood of different attack
methods currently employed by perpetrators. Stateless and Simple
Stateful IPFW firewall rules are inadequate to protect the users
system in today's internet environment and leaves the user
unknowingly believing they are protected when in reality they are
not.

The advanced stateful rule option keep-state works as documented
only when used in a rule set that does not use the divert rule.
Simply stated the IPFW advanced stateful rule option keep-state does
not function correctly when used in a IPFW firewall that also is
using the IPFW built in NATD function. For the most complete
keep-state protection the other FIREWALL solution (IPFILTER) that
comes with FBSD should be used. Just checkout the IPFW list archives
and you will see this subject discussed in detail with out any
solution forthcoming.

http://www.obfuscation.org/ipf/

http://www.obfuscation.org/ipf/ipf-howto.html





-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Petre
Bandac
Sent: Sunday, February 02, 2003 4:51 AM
To: freebsd-questions@freebsd.org
Subject: ipfw firewall questions

hello

I'm about to "compose" my first ipfw firewall - and, since I have
worked quite
a lot with iptables, I'm interesed in a few minor similarities:

1 - the firewall is called by rc.conf ? or ca I call it at boot time
via
whatever *.sh placed in the right place

2 - the firewall can be a executable bash script (i.e. like a
regular linux
firewall, with variables like myIP="192.168.0.0") ?

I guess the rest is covered in the docs I have carefully RTFM :-)

thanks,

petre


--
Login: petre                            Name: Petre Bandac
Directory: /home/petre                  Shell: /usr/local/bin/zsh
On since Fri Jan 31 20:40 (EET) on ttyv1, idle 1 day 14:58 (messages
off)
On since Sun Feb  2 09:28 (EET) on ttyp0, idle 1:15, from :0
On since Sun Feb  2 09:43 (EET) on ttyp1, idle 1:31, from :0
On since Fri Jan 31 23:46 (EET) on ttyp2, idle 0:02, from :0
On since Sun Feb  2 11:07 (EET) on ttyp3, idle 0:24, from :0
No Mail.
No Plan.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGIECJDFAA.barbish>