From owner-freebsd-questions Sun Jul 1 14: 2:33 2001 Delivered-To: freebsd-questions@freebsd.org Received: from smtp01.wxs.nl (smtp01.wxs.nl [195.121.6.61]) by hub.freebsd.org (Postfix) with ESMTP id F008037B403 for ; Sun, 1 Jul 2001 14:02:27 -0700 (PDT) (envelope-from alfatrion@cybertron.tmfweb.nl) Received: from cybertron ([213.10.151.186]) by smtp01.wxs.nl (Netscape Messaging Server 4.05) with SMTP id GFTBS000.36O; Sun, 1 Jul 2001 23:02:24 +0200 Message-ID: <002e01c10271$21fc08d0$231fa8c0@dekruijff.nl> From: "Alfatrion" To: "Fernando Gleiser" , "Louis LeBlanc" Cc: References: <20010701161952.A16304-100000@cactus.fi.uba.ar> Subject: Re: Firewall: ipfw? ipfilter? dhcp lease? Date: Sun, 1 Jul 2001 23:00:16 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > Hey all. FreeBSD newbie/convert in training here. > > Couple questions regarding firewalls. > > > > First some background on what I am doing now (meaning I have enough > > knowledge to get by on my current setup) > > > > I am currently using RH6.2 with ipchains for my firewall. I am > > blocking and allowing different ports from all or just a subnet (all > > open from my work subnet, most closed from all else, that kind of > > thing). I also have it set up with dhcpcd (pump doesn't do it for me) > > so that when I get a new dhcp lease, the firewall is reinitialized by > > executing the rc.firewall script with each dhcp lease. > > > > Anyway, I have just finally gotten around to getting a new (for me) > > machine at home to run FreeBSD on, and I want to set that up as my > > front end machine (hooked directly to the cable modem, running the > > firewall, masquerading, maybe doing nat, etc.), but I also want to > > make sure the firewall will stay up with the current dhcp lease. > > > > Anyway, I have been reading about firewalls on the list for a while, > > and am wondering about the differences between using ipfilter and > > ipfw. I take it FreeBSD is not using ipchains, so I won't go there. > > > > I assume there is some flexibility/security/simplicity tradeoff > > between the two? Seems logical to me if so. Is one easier to > > configure? What about resource requirements? (not that that would be > > an issue, but I'm curious.) > > > > I am well aware that there are books available on the subject, a > > couple are plugged right in the /etc/rc.firewall script, but I want to > > make a decision on the approach first, and pick the book or books, web > > resources, etc. that most apply to my decision (I already have plenty > > of books that "don't apply") > > > > Also, are there any online tools to help set up such a firewall? I > > have been using an ipchains firewall I generated with Rob Ziegler's > > excellent Linux Firewall Design Tool at > > http://www.linux-firewall-tools.com/linux/firewall/index.html > > And yes, it is excellent! Unfortunately, I don't think he has gotten > > too much into the FreeBSD world. Maybe I'll scout his site again > > later, or better yet, email him. > > > > BTW, some of you may have noticed that I had asked about 5.0-CURRENT > > recently, but I will be running 4.3-STABLE on this machine. I am > > (or was) putting -CURRENT on an extra desktop I have 'absconded' at > > work for experimentation. Just an FYI. > > > > Any and all useful commentary on the subject is more than welcome and > > much appreciated. I hope I have not strayed too far from list > > etiquette in terms of being both complete and concise, but please > > forgive me if I have, and feel free to let me know so I can correct > > any errant behavior, as I expect to have a lot of questions for the > > list in the future :). > > > Both ipf and ipfw are roughly equivalent, and each one has its strenghts and > weaknesses. For me, they are way better (better syntax, better features, > easier to configure) than IP chains. > > I am using IP Filter, because it suits my particular needs better. > I use IPfilter instead of ipfw because: > > 1. compatibility with other OS (solaris, other bsd) > 2. I like the stateful inspection features of ipf better. > 3. Rule grouping. You can make the rules tree shaped instead of linear, > speeding up the rule matching. > 4. I prefer ipnat over natd. > > On the other hand with ipfw you can: > > 1. Use a traffic shaper (dummynet). > 2. Select where you want to NAT (at the beginning, at the end, somewhere in > between) > > You can even use them both at the same time (I use ipf for NAT/filtering > and ipfw for dummynet). > > The ipf howto is at http://www.obfuscation.org/ipf/ipf-howto.txt > The ipfw howto is at http://www.mostgraveconcern.com/freebsd/ipfw.html > > The IP Filter mailing list archives are at http://false.net/ipfilter > > My advice is try them both, and pick the one that fits your needs better. > > Hope this helps > You number three reson is also posible with IPFW Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message