OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Problems with natd and simple firewall
From: Darren Reed (avaloncoombs.anu.edu.au)
Date: Sun Jul 30 2000 - 19:43:22 CDT

In some mail from schluntztimberwolf.workofstone.net, sie said:
>
> >> > I came into this mess with mostly only PIX/FW1 experience... I'll admit
> >> > some initial frustration when glancing over the man page, but after I
> >> > decided to read it, word for word, and started toying with the examples,
> >> > I've found ipfw's syntax/behavior to be (often) more appealing than the
> >> > other products I use on a daily basis.
> >> >
> >> > -mrh
> >>
> >> one significant advantage of ipfw over FW1, aside from cost,
> >> is that ipfw can test on which interface a packet arrives and/or
> >> leaves. as far as i know, in FW1 its not possible to act upon packets
> >> based upon which interface the packet hits. imagine wanting to screen
> >> (spoofed) packets with the inside IP addresses arriving on the outside
> >> interface. ;(
> >
> >If you're using FW-1 on Solaris, you can use IP Filter to do filtering
> >before FW-1 in case you don't trust FW-1 :-)
>
> Or, if you really don't trust FW-1 on Solaris (but need some of it's
> functionality and like a second layer of protection) put a Cicso (or
> prefurably a FreeBSD box running ipfw) in front of it blocking all of
> the hainus stuff and just let the FW-1 box do some of the granularity.
>
> This also protects your FW-1 box from some of the FW-1 related attacks.

If you want to "add security" then you put in place something like a box
with FWTK or Gauntlet. Layering packet filters does not add a second
layer of protection, IMHO, just lets you stop FW-1 from crashing >;-)
But you'd only use ipfw if you didn't know how to run up ipfilter in any
case :-)

Darren

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message