Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Jun 2005 12:58:51 -0500
From:      Paul Schmehl <pauls@utdallas.edu>
To:        freebsd-questions@freebsd.org
Subject:   Re: firewall on FreeBSD
Message-ID:  <08A3A012657D73D10A220154@Paul-Schmehls-Computer.local>
In-Reply-To: <200506241731.13651.martin@orbweavers.co.uk>
References:  <MIEPLLIBMLEEABPDBIEGMEIMHHAA.fbsd_user@a1poweruser.com> <200506241731.13651.martin@orbweavers.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
--On June 24, 2005 5:31:13 PM +0100 martin@orbweavers.co.uk wrote:

> On Friday 24 June 2005 15:31, fbsd_user wrote:
>> Which firewall you select to use should be based on your level of
>> understanding of how information is moved across the internet.
>> Ipfilter is best suited for people who are just learning about
>> firewalling. PF is a little more automated and the rules are very
>> close to IPF's.
>> IPFW is for the advanced firewall users who have expert
>> understanding of the internet. All 3 firewalls support stateful
>> rules and are available in the 5.4 release. Best advice is start
>> with Ipfilter and when you find out that you have needs which are
>> not met by Ipfilter then move over to IPFW.
>
> Is this right?

If it is, then I'm a lot smarter than I give myself credit for.  The first 
firewall I ever used was ipchains.  The I used iptables, but I never 
learned much about either because Linux obscures the config (unless you're 
doing something "fancy", you can run "setup" on the cli, click a few check 
boxes and you're done.

When I decided to switch a server over to FBSD, I had to read the man page 
to understand how pf worked, because there *was* no "setup" to run.  I've 
been using pf for a few years now, and I've never had problems 
understanding the syntax or how it works (but I also never do NAT, so that 
might be the reason it seems easy to me.)

 I started off using IPFW, and found it no harder or easier
> than  ipfilter, which I am using now. Can't remember the reason I changed
> to  ipfilter, think it might have something to do with being easier to
> use with  ipnat, but I am pretty happy with it. Is there anything that
> ipfw does better  than ipfilter to make it preferable?
>
The only thing I would say about firewalls is, know what you're doing and 
do it at the console.  There's nothing like having to get dressed and drive 
40 miles to fix a box because you screwed up the firewall config will 
working remotely to impress upon you the need to work at the console. :-)

Personally, I like the "quick" keyword of the OpenBSD firewall, (but not 
enough to bother installing it.)

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08A3A012657D73D10A220154>