From owner-freebsd-questions  Mon Jun 10 18:37:19 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id SAA08506
          for questions-outgoing; Mon, 10 Jun 1996 18:37:19 -0700 (PDT)
Received: from battra.telebase.com (root@battra.telebase.com [192.132.57.100])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA08500
          for <questions@freebsd.org>; Mon, 10 Jun 1996 18:37:16 -0700 (PDT)
Received: from wormhole.telebase.com  by battra.telebase.com id VAA29036; Mon, 10 Jun 1996 21:37:10 -0400 (EDT)
Received: from willow.willscreek.com (root@willow.willscreek.com [172.16.11.101]) by wormhole.telebase.com (8.7.3/8.6.9.1) with ESMTP id VAA10771; Mon, 10 Jun 1996 21:37:05 -0400 (EDT)
Received: (from bmc@localhost) by willow.willscreek.com (8.7.5/8.6.9) id VAA00337; Mon, 10 Jun 1996 21:37:02 -0400 (EDT)
Date: Mon, 10 Jun 1996 21:37:02 -0400 (EDT)
Message-Id: <199606110137.VAA00337@willow.willscreek.com>
From: Brian Clapper <bmc@WillsCreek.COM>
To: FreeBSD matters of Mark Huizer (xaa) <freebsd@xaa.stack.urc.tue.nl>
Cc: questions@freebsd.org
Subject: Re: firewalls in FBSD, how good are they?
In-Reply-To: <91702035@toto.iv>
Reply-To: Brian Clapper <bmc@telebase.com>
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>>>>> "Mark Huizer" <freebsd@xaa.stack.urc.tue.nl>

Mark> What I'd like to know: I've never really used and trusted upon the
Mark> FreeBSD ipfw stuff. Could anyone give me a little story on their
Mark> experiences, whether one can hang their pacemaker on it safely etc :)

If all you use is a FreeBSD (or Linux) box with an ipfw module, then you're
implementing a packet-filtering gateway--a truly minimalist firewall.
It'll provide you *some* protection (i.e., more than just hanging your
network naked on the Internet), but if that's all you deploy as your
firewall, you're toast if that machine is compromised.  That risk may be
acceptable for your site; it certainly wasn't (and isn't) for ours, though.
And I sure wouldn't hang a pacemaker (or credit-card transaction processing
software) off the back end of that sort of firewall.

You'd do well to read one or both of the following books, so you can
recommend an appropriate solution to your management.

1. Building Internet Firewalls.  By Brent Chapman and Elizabeth
   Zwicky  (O'Reilly and Associates, 1995).
        http://www.ora.com/www/item/fire.html

2. Firewalls & Internet Security: Repelling the Wily Hacker.
   by William R. Cheswick and Steven M. Bellovin (Addison-Wesley, 1994)
        http://www.aw.com/cp/Ches.html
-----
Brian Clapper ....................... bmc@WillsCreek.COM -or- bmc@telebase.com
http://www.netaxs.com/~bmc/ ......... PGP public key available on request
If people were required to know the law rather than obey it, the government
would be overthrown the very next day.