From owner-freebsd-isp  Sun Oct  7 22:56:20 2001
Delivered-To: freebsd-isp@freebsd.org
Received: from workhorse.iMach.com (workhorse.iMach.com [206.127.77.89])
	by hub.freebsd.org (Postfix) with ESMTP id EDE7237B403
	for <freebsd-isp@FreeBSD.ORG>; Sun,  7 Oct 2001 22:56:10 -0700 (PDT)
Received: from localhost (forrestc@localhost)
	by workhorse.iMach.com (8.9.3/8.9.3) with ESMTP id KAA24497;
	Thu, 4 Oct 2001 10:56:15 -0600 (MDT)
Date: Thu, 4 Oct 2001 10:56:15 -0600 (MDT)
From: "Forrest W. Christian" <forrestc@imach.com>
To: "Drew J. Weaver" <drew.weaver@thenap.com>
Cc: "'freebsd-isp@FreeBSD.ORG'" <freebsd-isp@FreeBSD.ORG>
Subject: Re: firewall question
In-Reply-To: <B1A7D9973EBED3119ADD009027DC86492B15DD@mailman.thenap.com>
Message-ID: <Pine.BSF.4.21.0110041050450.24408-100000@workhorse.iMach.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

On Thu, 4 Oct 2001, Drew J. Weaver wrote:

> is a freebsd firewall as good as a "hardware" solution such as watchguard
> fireboxes or Cisco products?

Depends. 

Some of the "hardware" solutions are actually freebsd or similar with a
gui front end taked on them.

I can't actually point at any product and say they are/aren't any more
secure than any others.

Personally, I find most gui-configured firewalls to be scary in that they
tend to be black boxes you aren't quite sure what they are doing.

I highly recommend cisco IOS with FW feature set which can be added to
any cisco router, with the caveat that you need to know IOS to configure
the thing.

That said, for most people, almost anything which runs NAT and which you
don't open up any holes in is probably good enough security.  Personally,
I recommend a FreeBSD box with nat running and some filters to filter
bogus addresses (such as ones appearing to come from you coming from the
outside) at the border.

About the only thing some of the commercial boxes provide that FreeBSD
doesn't is in-path virus and/or java filtering and sometimes caching or
monitoring of internet usage.   

- Forrest W. Christian (forrestc@imach.com) AC7DE
----------------------------------------------------------------------
The Innovation Machine Ltd.                              P.O. Box 5749
http://www.imach.com/                                Helena, MT  59604
Home of PacketFlux Technogies and BackupDNS.com         (406)-442-6648
----------------------------------------------------------------------
      Protect your personal freedoms - visit http://www.lp.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message