From owner-freebsd-security Wed Mar 27 16: 7:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id D5D6737B416 for ; Wed, 27 Mar 2002 16:07:31 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 7BBF91C0C; Thu, 28 Mar 2002 00:07:30 +0000 (GMT) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g2S06wh01169; Thu, 28 Mar 2002 01:06:58 +0100 Date: Thu, 28 Mar 2002 01:06:58 +0100 From: Krzysztof Zaraska To: "Josh Snyder" Cc: security@FreeBSD.org Subject: Re: NAT / Firewall Question Message-Id: <20020328010658.07dcd02c.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <00e801c1d59d$2b463e10$4400000a@nitco.com> References: <00e801c1d59d$2b463e10$4400000a@nitco.com> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 27 Mar 2002 08:39:14 -0600 Josh Snyder wrote: > I am going to be setting up a box to do NAT with my Ameritech ADSL (Alcatel > SpeedTouch USB modem) and I was wondering if there was any reason that I > should use FreeBSD with ipfw/ipfilter ( I don't really know the difference) In short... ipfilter is more advanced and employs more in-depth checks. > rather than Linux with iptables? I fully admit that I haven't really > researched the two options throughly and I've only setup a very basic one > rule NAT configuration for my friend. I was hoping that you all may have > some insight as to why or if FreeBSD makes a better NAT / Firewall box. Okay, here are some my personal thoughts on the subject: - ipfw is the simplest of all three, and the easiest to set up, however NAT has to be done with an external application (like natd or with pppd). It has some limitations (you can't do active FTP for example, but every decent client supports passive mode nowadays), but works well for me as a simple firewall and I'd recommend it for such purposes. - ipfilter is the most powerful and flexible, doing NAT is simple, rulesets may be a bit tricky, but I found it to be very well documented; for a home firewall it may be an overkill, unless you can't live without active FTP and similar stuff. - iptables is a good firewall, it can do a lot (NAT, active FTP, even more) but I find it overcomplicated from the user's point of view Generally I prefer BSD-based firewalls to Linux-based because of simplicity: you can build a FreeBSD firewall having installed only the base system plus a handful of ports (e.g. some text editor if you are not a vi fan), while with Linux you may easily end up with dozens of packages and complicated dependencies between them. I would also recommend to browse through some documentation (like HOWTOs, etc.) on all of these firewalls, just to see how each of them matches your needs. Good luck, Krzysztof -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message