Date: Wed, 21 Nov 2001 19:22:57 +0100 (CET) From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: Bart Matthaei <bart@dreamflow.nl> Cc: Dave Raven <dave@raven.za.net>, security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <Pine.BSF.4.21.0111211913360.441-100000@lhotse.zaraska.dhs.org> In-Reply-To: <20011121183151.B15275@heresy.dreamflow.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 21 Nov 2001, Bart Matthaei wrote: > > With IPFilter this is not so, IPNat runs in the kernel and should be faster. > > If you are planning on large usage I would recommend IPFilter (less load) > > and IPNat. > > I still dont see why ipf would be better when it comes to filtering. This issue (at least in one aspect) has been discussed on this list around Oct 30 (thread about keep-state and ICMP). The discussion strayed from the original topic and someone pointed out that ipfilter does a more careful inspection when dealing with dynamic rules (checks TCP sequence numbers etc.). Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0111211913360.441-100000>