[rescue] RFA: firewall
Skeezics Boondoggle
skeezics at q7.com
Mon Jan 10 19:34:34 CST 2005
On Sun, 9 Jan 2005, Jonathan C. Patschke wrote:
/.../
> Even if you're stuck with a BSD that uses the older Reed ipf filter,
> it's only marginally harder to read and understand than the new OpenBSD
> pf stuff.
"Older ipf filter"? Well, yes, it's been around longer, but it is still
in active development and will in fact be included in Solaris 10. In
fact, 'pf' likely wouldn't even exist save for the unfortunate pissing
match between Theo and Darren over licensing issues...
Anyway, ipfilter 3.4.x has been phenomenally stable and I've run it on
boxes that handle insane amounts of traffic and all sorts of services;
it's fast and secure and I use and recommend it without reservation.
While the 4.x versions are still going through some teething pains, with
Sun now taking an active part in the development I expect ipf will
continue to be the best option on Solaris. And since ipf 4.x also now
supports Linux as well as the BSDs, you could use one consistent set of
firewall rules on multiple platforms. Personally, I find the pf/ipf
syntax infinitely easier to read and understand (and hence use correctly
and securely) than the Linux ipchains/tables/flavorOfTheDay...
-- Chris
More information about the rescue
mailing list