rguyom321.net

• Next message: Darren Reed: "Re: Problems with natd and simple firewall"
• Previous message: Jonathan M. Bresler: "Re: log with dynamic firewall rules"
• In reply to: Jonathan M. Bresler: "Re: Problems with natd and simple firewall"
• Next in thread: Darren Reed: "Re: Problems with natd and simple firewall"
• Next in thread: Crist J. Clark: "Re: Problems with natd and simple firewall"
• Reply: Rémi Guyomarch: "Re: Problems with natd and simple firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jul 30, 2000 at 12:27:17PM -0700, Jonathan M. Bresler wrote:
>
> one significant advantage of ipfw over FW1, aside from cost,
> is that ipfw can test on which interface a packet arrives and/or
> leaves. as far as i know, in FW1 its not possible to act upon packets
> based upon which interface the packet hits. imagine wanting to screen
> (spoofed) packets with the inside IP addresses arriving on the outside
> interface. ;(

Anti-spoofing stuff on FW1 is done differently than other rules. And
you can configure anti-spoofing on each interface.
But there's something you can't do with FW1 : NAT'ing the same hosts /
networks to different (public) adresses according to the external
interface the packets cross. You have possible workarounds, but they
are ugly.

-- 
Rémi
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Darren Reed: "Re: Problems with natd and simple firewall"
• Previous message: Jonathan M. Bresler: "Re: log with dynamic firewall rules"
• In reply to: Jonathan M. Bresler: "Re: Problems with natd and simple firewall"
• Next in thread: Darren Reed: "Re: Problems with natd and simple firewall"
• Next in thread: Crist J. Clark: "Re: Problems with natd and simple firewall"
• Reply: Rémi Guyomarch: "Re: Problems with natd and simple firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]