On Sunday 13 March 2005 09:16, Loren M. Lang wrote:
> On Fri, Mar 04, 2005 at 01:41:23PM +0100, Albert Shih wrote:
> > Le 03/03/2005 ? 13:07:53-0800, Loren M. Lang a ?crit
> >
> > > > Well it's not de syntaxes, I always use packet filter system
> > > > (sometime on hardware like Foundry/Cisco) where the rule is : First
> > > > match first use. And the pf use entire rules is very strange for me
> > > > (I known I can use ?quick? but....well it's not the philosophy I
> > > > think).
> > >
> > > I like first match better too, but I think pf is sufficiently better
> > > that I just use it with quick over ipfw.
> >
> > Better on what ?
>
> More security features like srubbing packets. This can look for errors
> like bad tcp flag combinations that some port scanners might use. Also,
> it is just more flexible by using tables for matches that can even be
> updated dynamically. ipf and ipfw would require a completely new rule
> to change the firewall. Tables can be used to, say, keep track of a
> blacklist of ip address like the ones that keep trying to log into ssh
> accounts on my server that don't exist
man ipfw
ipfw table number add addr[/masklen] [value]
ipfw table number delete addr[/masklen]
ipfw table number flush
ipfw table number list
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
