From owner-freebsd-questions@FreeBSD.ORG Fri Jan 5 08:25:23 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 86B4F16A407 for ; Fri, 5 Jan 2007 08:25:23 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Received: from mesiob.obspm.fr (mesiob.obspm.fr [145.238.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id 257DE13C44C for ; Fri, 5 Jan 2007 08:25:22 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Received: from pcjas.obspm.fr (pcjas.obspm.fr [145.238.2.126]) by mesiob.obspm.fr (8.13.4/8.13.4/SIO Observatoire de Paris) with ESMTP id l058BJ2J023671; Fri, 5 Jan 2007 09:11:19 +0100 Date: Fri, 5 Jan 2007 09:11:22 +0100 From: Albert Shih To: Brett Davidson Message-ID: <20070105081122.GC8555@pcjas.obspm.fr> References: <60224D09909C0B43A50935A0893D8FF31DA2DC@srv.exchange.net24.net.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <60224D09909C0B43A50935A0893D8FF31DA2DC@srv.exchange.net24.net.nz> User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (mesiob.obspm.fr [145.238.2.2]); Fri, 05 Jan 2007 09:11:19 +0100 (CET) X-Virus-Scanned: ClamAV version 0.88.7, clamav-milter version 0.88.7 on mesiob.obspm.fr X-Virus-Status: Clean Cc: questions@freebsd.org Subject: Re: Advice on which FreeBSD firewall package to choose. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Albert.Shih@obspm.fr List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2007 08:25:23 -0000 Le 05/01/2007 à 10:25:30+1300, Brett Davidson a écrit > Before I start, I'm familiar with IPTables from Linux but am wanting to > use FreeBSD as a firewalling router after seeing it in action on a > heavily-loaded webserver. I like the efficiency of the TCP stack. > > Upon reading the handbook I found that I can have my choice of three > firewalls; pf, iptables and ipfw. > > What would be the most useful (and easiest) package to use given the > following scenario: > > A FreeBSD router comprising of four physical interfaces - > Eth0 is the outside 10Mbyte/s cable connection to the Internet. > Eth1 is a 100Mbit DMZ housing a webserver. > Eth2 is a 100Mb DMZ housing a 802.11g Wireless Access Router. > (My normal preference is to isolate Wireless LANs from physical > LANS). > Eth3 is the inside LAN. > > Software-based VPN connections out from both the Inside LAN and Wireless > DMZ are required. (Allowing VPN tunnels through the firewall; not > tunnels terminated at the firewall). > > Against prudence, they wish to allow torrent connections to the inside > lan and ICQ connections to both the Inside LAN and the Wireless DMZ. The > torrent and ICQ connections will need to be bandwidth-managed so that is > a major consideration for the choice of which firewall to use. Is there > an equivalent to HTB on FreeBSD? > > I look forward to your answers... > I've using ipfw and pf for this. If you've some knowlegde on Cisco ACL you can use ipfw (it's first match-use). pf have some very usefull features. With pf it's last match first-use, and it's more easy to add some ACL with pf for a script (like ssh_bruteforce). Regards. -- Albert SHIH Observatoire de Paris Meudon Heure local/Local time: Ven 5 jan 2007 09:08:19 CET