From owner-freebsd-questions@FreeBSD.ORG Sat Jun 25 03:39:06 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69A5A16A41C for ; Sat, 25 Jun 2005 03:39:06 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from stovebolt.stovebolt.com (mail.stovebolt.com [66.221.101.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E5DD43D1F for ; Sat, 25 Jun 2005 03:39:06 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from [192.168.2.101] (adsl-66-141-178-138.dsl.rcsntx.swbell.net [66.141.178.138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by stovebolt.stovebolt.com (Postfix) with ESMTP id E221F3FC37 for ; Fri, 24 Jun 2005 12:59:05 -0500 (CDT) Date: Fri, 24 Jun 2005 12:58:51 -0500 From: Paul Schmehl To: freebsd-questions@freebsd.org Message-ID: <08A3A012657D73D10A220154@Paul-Schmehls-Computer.local> In-Reply-To: <200506241731.13651.martin@orbweavers.co.uk> References: <200506241731.13651.martin@orbweavers.co.uk> X-Mailer: Mulberry/4.0.0 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: firewall on FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jun 2005 03:39:06 -0000 --On June 24, 2005 5:31:13 PM +0100 martin@orbweavers.co.uk wrote: > On Friday 24 June 2005 15:31, fbsd_user wrote: >> Which firewall you select to use should be based on your level of >> understanding of how information is moved across the internet. >> Ipfilter is best suited for people who are just learning about >> firewalling. PF is a little more automated and the rules are very >> close to IPF's. >> IPFW is for the advanced firewall users who have expert >> understanding of the internet. All 3 firewalls support stateful >> rules and are available in the 5.4 release. Best advice is start >> with Ipfilter and when you find out that you have needs which are >> not met by Ipfilter then move over to IPFW. > > Is this right? If it is, then I'm a lot smarter than I give myself credit for. The first firewall I ever used was ipchains. The I used iptables, but I never learned much about either because Linux obscures the config (unless you're doing something "fancy", you can run "setup" on the cli, click a few check boxes and you're done. When I decided to switch a server over to FBSD, I had to read the man page to understand how pf worked, because there *was* no "setup" to run. I've been using pf for a few years now, and I've never had problems understanding the syntax or how it works (but I also never do NAT, so that might be the reason it seems easy to me.) I started off using IPFW, and found it no harder or easier > than ipfilter, which I am using now. Can't remember the reason I changed > to ipfilter, think it might have something to do with being easier to > use with ipnat, but I am pretty happy with it. Is there anything that > ipfw does better than ipfilter to make it preferable? > The only thing I would say about firewalls is, know what you're doing and do it at the console. There's nothing like having to get dressed and drive 40 miles to fix a box because you screwed up the firewall config will working remotely to impress upon you the need to work at the console. :-) Personally, I like the "quick" keyword of the OpenBSD firewall, (but not enough to bother installing it.) Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/