From owner-freebsd-hackers  Sun Aug 20 19:44:29 1995
Return-Path: hackers-owner
Received: (from majordom@localhost)
          by freefall.FreeBSD.org (8.6.11/8.6.6) id TAA05675
          for hackers-outgoing; Sun, 20 Aug 1995 19:44:29 -0700
Received: from hk.super.net (hk.super.net [202.14.67.4])
          by freefall.FreeBSD.org (8.6.11/8.6.6) with SMTP id TAA05658
          for <hackers@freebsd.org>; Sun, 20 Aug 1995 19:44:21 -0700
Received: from rssd.hk.olivetti.com by hk.super.net with SMTP id AA13494
  (5.67b/IDA-1.5 for <@hk.super.net:hackers@freebsd.org>); Mon, 21 Aug 1995 10:44:05 +0800
Message-Id: <199508210244.AA13494@hk.super.net>
Subject: Re: Internet In A Box
To: dennis@et.htp.com (dennis)
Date: Mon, 21 Aug 1995 10:35:39 +0800 (HKT)
From: "Raju M. Daryanani" <raju@rssd.hk.olivetti.com>
Cc: gryphon@healer.com, hackers@freebsd.org
In-Reply-To: <199508202319.TAA05069@mail.htp.com> from "dennis" at Aug 20, 95 07:19:11 pm
X-Mailer: ELM [version 2.4 PL21]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Content-Length: 1808
Sender: hackers-owner@freebsd.org
Precedence: bulk

According to dennis:

> screend sucks. Try something else.

Such as?

I'm in the process of setting up a FreeBSD box as a firewall, and at the
moment I've got both screend and the ipfirewall facility compiled in.  The
main problem I have with ipfirewall is that it sorts the firewall rules
in ascending order of coverage size.  I'd hate to find I've got a big hole
because I miscalculated the order in which the rules are going to be
evaluated.  Also it is all or nothing in deciding which ICMP packets you
want to forward, meaning I can't set policy on which ones I want to allow 
in and which ones I want to reject.

The good thing about screend is that it evaluates the rules in the order
that you issue them, making it easier to check the correctness.
The problem I've got with it is that it doesn't allow you to screen
out incoming TCP SYN packets.  That will force me to close out some ports
on which I would like to allow outgoing connections.  It also doesn't allow
me to protect the machine it's running on, since it only works on packets
that it is gating between networks.  As a result I've got to use ipfirewall 
to protect the FreeBSD router, and that means duplicated rules, which
needlessly complicates things and creates two things I need to keep an eye
on.  Performance is not a problem for me at the moment because the firewall 
is only guarding a 14.4Kbps net connection, and the 386DX/25 it runs on
is idle for 98% of its time.

If there's something better that allows more control I'd like to know about
it.

Raju
-- 
Raju M. Daryanani          | Email: raju@rssd.hk.olivetti.com
Technical Support Manager  |        raju@hk.super.net, raju@air.org
Products Division          | Tel: +852 2979 2450 / Fax: +852 2802 6650
Olivetti (HK) Ltd.         | [Finger for PGP key] [MIME understood]