RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow]

From: Chris Odell (chris_at_redstarnetworks.net)
Date: 08/09/03

  • Next message: Jesse: "RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow]" 
    To: "'Zvezdan Petkovic'" <zvezdan@CS.WM.EDU>, <freebsd-security@freebsd.org>
Date: Sat, 9 Aug 2003 10:13:27 -0700

      I AM WRONG..... I AM VERY SORRY..... I cant believe it takes fifty
    different people to bash me, as I think I tucked my tail between my legs
    after the first time being told I was wrong. I accepted it and didn't
    argue, so now I think the rest of you people should give up on it now.
    You have proved your point, now get off me. I bought a computer mainly
    as a way to ignore my wife, now im not sure what is worse - Your
    bitching or hers?

    Chris Odell

    -----Original Message-----
    From: owner-freebsd-security@freebsd.org
    [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Zvezdan
    Petkovic
    Sent: Saturday, August 09, 2003 8:32 AM
    To: freebsd-security@freebsd.org
    Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow]

    On Fri, Aug 08, 2003 at 06:49:48PM -0400, Peter C. Lai wrote:
    > What are you meaning by "native"? They both exist as part of the base
    > FreeBSD kernel; so in that sense, both ipf and ipfw are "native" to
    > FreeBSD.

    Notice that I said "AFAIK" in the original message below. But let me
    elaborate.

    I had in mind this sentence from FreeBSD Handbook, Section 10.7.1

            "FreeBSD comes with a kernel packet filter (known as IPFW),
            which is what the rest of this section will concentrate on."

    The handbook does _not_ talk about IPF.

    Also, this document
            
    http://www.freebsd.org/news/status/report-may-2002-june-2002.html
    says (notice the word "native" in the first sentence, please):

            "In summer 2002 the native FreeBSD firewall has been completely
            rewritten in a form that uses BPF-like instructions to perform
            packet matching in a more effective way. The external user
            interface is completely backward compatible, though you can make
            use of some newer match patterns (e.g. to handle sparse sets of
            IP addresses) which can dramatically simplify the writing of
            ruleset (and speed up their processing). The new firewall,
            called ipfw2, is much faster and easier to extend than the old
            one. It has been already included in FreeBSD-CURRENT, and
            patches for FreeBSD-STABLE are available from the author."

    I rest my case.

    > I don't see how this argument is appropriate for choosing one over the

    > other anyway.

    That was exactly my point. Chris Odell admonished the original poster
    for using IPFW stating that IPF is native to *BSD. I simply wanted to
    point out that is not the exact state of affairs.

    >
    > On Thu, Aug 07, 2003 at 06:22:55PM -0400, Zvezdan Petkovic wrote:
    > > On Thu, Aug 07, 2003 at 01:59:27PM -0700, Chris Odell wrote:
    > > >
    > > > But why IPFW? IPF is *BSD native wall. I actually use both - IPF
    > > > for firewalling, and IPFW for throttling via dummy net. My
    > > > recommended reading for IPF and IPFW is "Building Linux and
    > > > OpenBSD Firewalls"...
    > >
    > > Where did you get this information?
    > >
    > > Native firewall for FreeBSD is ipfw, AFAIK. It's even used on OS X
    > > as a native firewall, due to Darwin's FreeBSD roots.
    > >
    > > Also, OpenBSD stopped using ipf four releases ago. The native
    > > firewall for OpenBSD is pf. pf inherited much of the syntax from
    > > ipf, but also extended it and added some features.
    > >
    > > That said, I personally find ipf quite a good stateful firewall and
    > > its syntax can feel more natural than ipfw syntax. It also works on

    > > Solaris and other OS's besides *BSDs.

    Best regards, 

    -- 
Zvezdan Petkovic <zvezdan@cs.wm.edu> http://www.cs.wm.edu/~zvezdan/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Jesse: "RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow]"

    Relevant Pages

    • Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow]
      ... I had in mind this sentence from FreeBSD Handbook, ... The handbook does _not_ talk about IPF. ... >> native firewall, ...
      (FreeBSD-Security)
    • Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow]
      ... They both exist as part of the base FreeBSD ... both ipf and ipfw are "native" to FreeBSD. ... > native firewall, ...
      (FreeBSD-Security)
    • Re: Chris tar exclusion problem
      ... List of absolutely required files for FreeBSD? ... >>Use man tar to see all the switches. ... If it's IPF, it's a kernel option. ... If you are not the intended recipient, ...
      (freebsd-questions)
    • Problems logging w/ IPF on FreeBSD 5.3-STABLE
      ... Hello all i recently installed FreeBSD 5.3 and am so far extremely ... Well IPF works perfectly, however my logging is NOT going ... bash-2.05b$ make installkernel KERNCONF=Test ... Next i remembered to restart syslogd. ...
      (freebsd-questions)