Re: firewall on FreeBSD

From: Alex Zbyslaw (xfb52_at_dial.pipex.com)
Date: 06/26/05

  • Next message: Brett Glass: "Re: Best hardware to mirror IDE drives under FreeBSD?" 
    Date: Sun, 26 Jun 2005 22:15:59 +0100
To: Giorgos Keramidas <keramida@ceid.upatras.gr>

    Giorgos Keramidas wrote:

    >On 2005-06-26 00:40, Alex Zbyslaw <xfb52@dial.pipex.com> wrote:
    >
    >
    >>Paul Schmehl wrote:
    >>
    >>
    >>>pf on freebsd does support the "quick" keyword. The "default"
    >>>firewall, ipfw, does not.
    >>>
    >>>
    >>This makes no sense to me. The two firewalls work very differently.
    >>
    >>[...]
    >>
    >You describe very nicely the way rules are matched by two of the three
    >different firewalls available on FreeBSD. The description, being very
    >correct, *does* make sense.
    >
    >Why do you say that ``This makes no sense to you''
    >
    >
    Maybe I'm misreading something, or taking it out of context, but the
    statement "ipfw does not support the quick keyword" makes no sense to
    me. For me, it implies that somehow ipfw could (or even should) support
    the quick keyword, and that is nonsensical. The way ipfw rules work
    there is not only no need to support a quick keyword, but no point in
    supporting one because all relevant matches are already quick, by
    definition.

    Maybe I'm being overly pedantic, but if I had stumbled across this
    message in an archive search, and knew nothing about FreeBSD firewalls,
    I could easily take it to mean that ipfw was lacking a feature with
    respect to pf when, in fact, it wasn't. (There may be plenty of other
    reasons for picking one firewall or the other, but the "lack" of a quick
    keyword in ipfw isn't one of them).

    Am *I* making any more sense, now?

    --Alex

    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: Brett Glass: "Re: Best hardware to mirror IDE drives under FreeBSD?"

    Relevant Pages

    • Re: Unable to download and install updates
      ... Many others, but I uninstalled any related to security, firewalls, etc. ... I checked MS web site and they will not support this problem ... >>> SUPPORTING SECURITY UPDATES that WILL NOT UPDATE!!! ...
      (microsoft.public.windowsupdate)
    • Re: [fw-wiz] Disecting the Cisco PIX
      ... The value in an off-the-shelf product is more in the support, ... I've deployed a fair ammount of Open Source firewalls over time, ... deployments of them though- especially two years after installation. ... software vendor a replacement may take 3 or 4 calls. ...
      (Firewall-Wizards)
    • Re: IPFW or pf?
      ... >> I have read the handbook about firewalls, and compiled my kernel ... > The startup scripts support pf, ... the base systems ships with two firewalls? ... firewalls in the handbook, I realized I didn't know much about them. ...
      (freebsd-questions)
    • Couple of network questions (NAT, firewalls)
      ... Let's start with firewalls. ... I've compiled my kernel to support both ipfw and ipf. ... ipfw add 500 divert natd all from 192.168.0.5 to any via re0 pfw add ... So what is that connection between nat and ssh? ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Large number of http connections immediately dropped
      ... We didn't see this problem after recompiling without SMP support and waiting for a day or two, but that immediately brought the load average up to around 50 and made it much slower, so that's clearly not a solution. ... The reason to ask the firewall question (ipfw, pf, etc) is that as the rate of TCP connections goes up, and if there are a small number of addresses involved, the reuse rate for TCP/IP port/address tuples becomes very high, which can cause connections to reuse tuples too quickly. ... Sometimes firewalls are more sensitive to this than the stack -- especially if those firewalls are doing things like randomizing port numbers, TCP sequence numbers, etc, so in the past there have been reports along those lines. ...
      (freebsd-performance)
    Loading