FreeBSD - Secure by DEFAULT ?? [hosts.allow]
Jesse
jesse at 206underground.net
Sat Aug 9 20:30:10 PDT 2003
\I bought a computer
> mainly as a way to ignore my wife, now im not sure what is worse - Your
> bitching or hers?
Thank you for injecting some rare humor into what is usually/supposedly an
otherwise quiet, boring list ;P
>
> Chris Odell
>
> -----Original Message-----
> From: owner-freebsd-security at freebsd.org
> [mailto:owner-freebsd-security at freebsd.org] On Behalf Of Zvezdan
> Petkovic
> Sent: Saturday, August 09, 2003 8:32 AM
> To: freebsd-security at freebsd.org
> Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow]
>
> On Fri, Aug 08, 2003 at 06:49:48PM -0400, Peter C. Lai wrote:
> > What are you meaning by "native"? They both exist as part of the base
> > FreeBSD kernel; so in that sense, both ipf and ipfw are "native" to
> > FreeBSD.
>
> Notice that I said "AFAIK" in the original message below. But let me
> elaborate.
>
> I had in mind this sentence from FreeBSD Handbook, Section 10.7.1
>
> "FreeBSD comes with a kernel packet filter (known as IPFW),
> which is what the rest of this section will concentrate on."
>
> The handbook does _not_ talk about IPF.
>
> Also, this document
>
> http://www.freebsd.org/news/status/report-may-2002-june-2002.html
> says (notice the word "native" in the first sentence, please):
>
> "In summer 2002 the native FreeBSD firewall has been completely
> rewritten in a form that uses BPF-like instructions to perform
> packet matching in a more effective way. The external user
> interface is completely backward compatible, though you can make
> use of some newer match patterns (e.g. to handle sparse sets of
> IP addresses) which can dramatically simplify the writing of
> ruleset (and speed up their processing). The new firewall,
> called ipfw2, is much faster and easier to extend than the old
> one. It has been already included in FreeBSD-CURRENT, and
> patches for FreeBSD-STABLE are available from the author."
>
> I rest my case.
>
> > I don't see how this argument is appropriate for choosing one over the
>
> > other anyway.
>
> That was exactly my point. Chris Odell admonished the original
> poster for using IPFW stating that IPF is native to *BSD. I simply
> wanted to point out that is not the exact state of affairs.
>
> >
> > On Thu, Aug 07, 2003 at 06:22:55PM -0400, Zvezdan Petkovic wrote:
> > > On Thu, Aug 07, 2003 at 01:59:27PM -0700, Chris Odell wrote:
> > > >
> > > > But why IPFW? IPF is *BSD native wall. I actually use both - IPF
> > > > for firewalling, and IPFW for throttling via dummy net. My
> > > > recommended reading for IPF and IPFW is "Building Linux and
> > > > OpenBSD Firewalls"...
> > >
> > > Where did you get this information?
> > >
> > > Native firewall for FreeBSD is ipfw, AFAIK. It's even used on OS X
> > > as a native firewall, due to Darwin's FreeBSD roots.
> > >
> > > Also, OpenBSD stopped using ipf four releases ago. The native
> > > firewall for OpenBSD is pf. pf inherited much of the syntax from
> > > ipf, but also extended it and added some features.
> > >
> > > That said, I personally find ipf quite a good stateful firewall and
> > > its syntax can feel more natural than ipfw syntax. It also works on
>
> > > Solaris and other OS's besides *BSDs.
>
> Best regards,
> --
> Zvezdan Petkovic <zvezdan at cs.wm.edu> http://www.cs.wm.edu/~zvezdan/
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
------- End of Original Message -------
More information about the freebsd-security
mailing list