Date: Thu, 28 Mar 2002 01:06:58 +0100 From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: "Josh Snyder" <nightrav@netnitco.net> Cc: security@FreeBSD.org Subject: Re: NAT / Firewall Question Message-ID: <20020328010658.07dcd02c.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <00e801c1d59d$2b463e10$4400000a@nitco.com> References: <00e801c1d59d$2b463e10$4400000a@nitco.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 27 Mar 2002 08:39:14 -0600 Josh Snyder wrote: > I am going to be setting up a box to do NAT with my Ameritech ADSL (Alcatel > SpeedTouch USB modem) and I was wondering if there was any reason that I > should use FreeBSD with ipfw/ipfilter ( I don't really know the difference) In short... ipfilter is more advanced and employs more in-depth checks. > rather than Linux with iptables? I fully admit that I haven't really > researched the two options throughly and I've only setup a very basic one > rule NAT configuration for my friend. I was hoping that you all may have > some insight as to why or if FreeBSD makes a better NAT / Firewall box. Okay, here are some my personal thoughts on the subject: - ipfw is the simplest of all three, and the easiest to set up, however NAT has to be done with an external application (like natd or with pppd). It has some limitations (you can't do active FTP for example, but every decent client supports passive mode nowadays), but works well for me as a simple firewall and I'd recommend it for such purposes. - ipfilter is the most powerful and flexible, doing NAT is simple, rulesets may be a bit tricky, but I found it to be very well documented; for a home firewall it may be an overkill, unless you can't live without active FTP and similar stuff. - iptables is a good firewall, it can do a lot (NAT, active FTP, even more) but I find it overcomplicated from the user's point of view Generally I prefer BSD-based firewalls to Linux-based because of simplicity: you can build a FreeBSD firewall having installed only the base system plus a handful of ports (e.g. some text editor if you are not a vi fan), while with Linux you may easily end up with dozens of packages and complicated dependencies between them. I would also recommend to browse through some documentation (like HOWTOs, etc.) on all of these firewalls, just to see how each of them matches your needs. Good luck, Krzysztof -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020328010658.07dcd02c.kzaraska>