ipfw or pf

[Loren M. Lang]

On Fri, Mar 04, 2005 at 01:41:23PM +0100, Albert Shih wrote:
>  Le 03/03/2005 ? 13:07:53-0800, Loren M. Lang a ?crit
> > > Well it's not de syntaxes, I always use packet filter system (sometime on
> > > hardware like Foundry/Cisco) where the rule is : First match first use. And
> > > the pf use entire rules is very strange for me (I known I can use ?quick?
> > > but....well it's not the philosophy I think).
> > 
> > I like first match better too, but I think pf is sufficiently better
> > that I just use it with quick over ipfw.
> > 
> 
> Better on what ?

More security features like srubbing packets.  This can look for errors
like bad tcp flag combinations that some port scanners might use.  Also,
it is just more flexible by using tables for matches that can even be
updated dynamically.  ipf and ipfw would require a completely new rule
to change the firewall.  Tables can be used to, say, keep track of a
blacklist of ip address like the ones that keep trying to log into ssh
accounts on my server that don't exists.

pf also has built-in passive os fingerprinting if you think that might
be useful.

Read through the pf faq on openbsd.org.

> 
> I really like to known. And my question is not a troll or something like
> that.
> 
> Regards
> 
> 
> --
> Albert SHIH
> Universite de Paris 7 (Denis DIDEROT)
> U.F.R. de Mathematiques.
> Heure local/Local time:
> Fri Mar 4 13:40:29 CET 2005

-- 
I sense much NT in you.
NT leads to Bluescreen.
Bluescreen leads to downtime.
Downtime leads to suffering.
NT is the path to the darkside.
Powerful Unix is.

Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: CEE1 AAE2 F66C 59B5 34CA  C415 6D35 E847 0118 A3D2
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050313/21511534/attachment.bin