From owner-freebsd-questions Sun Jul 1 8:41:16 2001 Delivered-To: freebsd-questions@freebsd.org Received: from chmls06.mediaone.net (chmls06.mediaone.net [24.147.1.144]) by hub.freebsd.org (Postfix) with ESMTP id 9C90737B403 for ; Sun, 1 Jul 2001 08:41:12 -0700 (PDT) (envelope-from leblanc@acadia.ne.mediaone.net) Received: from acadia.ne.mediaone.net (acadia.ne.mediaone.net [65.96.185.189]) by chmls06.mediaone.net (8.11.1/8.11.1) with ESMTP id f61FfA800129 for ; Sun, 1 Jul 2001 11:41:11 -0400 (EDT) Received: (from leblanc@localhost) by acadia.ne.mediaone.net (8.9.3/8.9.3) id LAA00364 for freebsd-questions@FreeBSD.org; Sun, 1 Jul 2001 11:35:41 -0400 Date: Sun, 1 Jul 2001 11:35:41 -0400 From: Louis LeBlanc To: freebsd-questions@FreeBSD.org Subject: Firewall: ipfw? ipfilter? dhcp lease? Message-ID: <20010701113541.A32402@acadia.ne.mediaone.net> Reply-To: freebsd-questions@FreeBSD.org Mail-Followup-To: freebsd-questions@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.3.19i X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hey all. FreeBSD newbie/convert in training here. Couple questions regarding firewalls. First some background on what I am doing now (meaning I have enough knowledge to get by on my current setup) I am currently using RH6.2 with ipchains for my firewall. I am blocking and allowing different ports from all or just a subnet (all open from my work subnet, most closed from all else, that kind of thing). I also have it set up with dhcpcd (pump doesn't do it for me) so that when I get a new dhcp lease, the firewall is reinitialized by executing the rc.firewall script with each dhcp lease. Anyway, I have just finally gotten around to getting a new (for me) machine at home to run FreeBSD on, and I want to set that up as my front end machine (hooked directly to the cable modem, running the firewall, masquerading, maybe doing nat, etc.), but I also want to make sure the firewall will stay up with the current dhcp lease. Anyway, I have been reading about firewalls on the list for a while, and am wondering about the differences between using ipfilter and ipfw. I take it FreeBSD is not using ipchains, so I won't go there. I assume there is some flexibility/security/simplicity tradeoff between the two? Seems logical to me if so. Is one easier to configure? What about resource requirements? (not that that would be an issue, but I'm curious.) I am well aware that there are books available on the subject, a couple are plugged right in the /etc/rc.firewall script, but I want to make a decision on the approach first, and pick the book or books, web resources, etc. that most apply to my decision (I already have plenty of books that "don't apply") Also, are there any online tools to help set up such a firewall? I have been using an ipchains firewall I generated with Rob Ziegler's excellent Linux Firewall Design Tool at http://www.linux-firewall-tools.com/linux/firewall/index.html And yes, it is excellent! Unfortunately, I don't think he has gotten too much into the FreeBSD world. Maybe I'll scout his site again later, or better yet, email him. BTW, some of you may have noticed that I had asked about 5.0-CURRENT recently, but I will be running 4.3-STABLE on this machine. I am (or was) putting -CURRENT on an extra desktop I have 'absconded' at work for experimentation. Just an FYI. Any and all useful commentary on the subject is more than welcome and much appreciated. I hope I have not strayed too far from list etiquette in terms of being both complete and concise, but please forgive me if I have, and feel free to let me know so I can correct any errant behavior, as I expect to have a lot of questions for the list in the future :). TIA Lou -- Louis LeBlanc Fully Funded Hobbyist, KeySlapper Extrordinaire :) leblanc@acadia.ne.mediaone.net http://acadia.ne.mediaone.net ԿԬ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message