From owner-freebsd-questions Sun Jul 1 12:39:40 2001 Delivered-To: freebsd-questions@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 2E62537B401 for ; Sun, 1 Jul 2001 12:39:35 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.11.3/8.9.3) with ESMTP id f61JcCf16755; Sun, 1 Jul 2001 16:38:12 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Sun, 1 Jul 2001 16:38:12 -0300 (ART) From: Fernando Gleiser To: Louis LeBlanc Cc: Subject: Re: Firewall: ipfw? ipfilter? dhcp lease? In-Reply-To: <20010701113541.A32402@acadia.ne.mediaone.net> Message-ID: <20010701161952.A16304-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Both ipf and ipfw are roughly equivalent, and each one has its strenghts and weaknesses. For me, they are way better (better syntax, better features, easier to configure) than IP chains. I am using IP Filter, because it suits my particular needs better. I use IPfilter instead of ipfw because: 1. compatibility with other OS (solaris, other bsd) 2. I like the stateful inspection features of ipf better. 3. Rule grouping. You can make the rules tree shaped instead of linear, speeding up the rule matching. 4. I prefer ipnat over natd. On the other hand with ipfw you can: 1. Use a traffic shaper (dummynet). 2. Select where you want to NAT (at the beginning, at the end, somewhere in between) You can even use them both at the same time (I use ipf for NAT/filtering and ipfw for dummynet). The ipf howto is at http://www.obfuscation.org/ipf/ipf-howto.txt The ipfw howto is at http://www.mostgraveconcern.com/freebsd/ipfw.html The IP Filter mailing list archives are at http://false.net/ipfilter My advice is try them both, and pick the one that fits your needs better. Hope this helps On Sun, 1 Jul 2001, Louis LeBlanc wrote: > Hey all. FreeBSD newbie/convert in training here. > Couple questions regarding firewalls. > > First some background on what I am doing now (meaning I have enough > knowledge to get by on my current setup) > > I am currently using RH6.2 with ipchains for my firewall. I am > blocking and allowing different ports from all or just a subnet (all > open from my work subnet, most closed from all else, that kind of > thing). I also have it set up with dhcpcd (pump doesn't do it for me) > so that when I get a new dhcp lease, the firewall is reinitialized by > executing the rc.firewall script with each dhcp lease. > > Anyway, I have just finally gotten around to getting a new (for me) > machine at home to run FreeBSD on, and I want to set that up as my > front end machine (hooked directly to the cable modem, running the > firewall, masquerading, maybe doing nat, etc.), but I also want to > make sure the firewall will stay up with the current dhcp lease. > > Anyway, I have been reading about firewalls on the list for a while, > and am wondering about the differences between using ipfilter and > ipfw. I take it FreeBSD is not using ipchains, so I won't go there. > > I assume there is some flexibility/security/simplicity tradeoff > between the two? Seems logical to me if so. Is one easier to > configure? What about resource requirements? (not that that would be > an issue, but I'm curious.) > > I am well aware that there are books available on the subject, a > couple are plugged right in the /etc/rc.firewall script, but I want to > make a decision on the approach first, and pick the book or books, web > resources, etc. that most apply to my decision (I already have plenty > of books that "don't apply") > > Also, are there any online tools to help set up such a firewall? I > have been using an ipchains firewall I generated with Rob Ziegler's > excellent Linux Firewall Design Tool at > http://www.linux-firewall-tools.com/linux/firewall/index.html > And yes, it is excellent! Unfortunately, I don't think he has gotten > too much into the FreeBSD world. Maybe I'll scout his site again > later, or better yet, email him. > > BTW, some of you may have noticed that I had asked about 5.0-CURRENT > recently, but I will be running 4.3-STABLE on this machine. I am > (or was) putting -CURRENT on an extra desktop I have 'absconded' at > work for experimentation. Just an FYI. > > Any and all useful commentary on the subject is more than welcome and > much appreciated. I hope I have not strayed too far from list > etiquette in terms of being both complete and concise, but please > forgive me if I have, and feel free to let me know so I can correct > any errant behavior, as I expect to have a lot of questions for the > list in the future :). > > TIA > Lou > -- > Louis LeBlanc > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > leblanc@acadia.ne.mediaone.net > http://acadia.ne.mediaone.net ԿԬ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message