From owner-freebsd-security Tue Jan 28 6:19:45 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70FE137B401 for ; Tue, 28 Jan 2003 06:19:37 -0800 (PST) Received: from woody.ops.uunet.co.za (woody.ops.uunet.co.za [196.22.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04C3643E4A for ; Tue, 28 Jan 2003 06:19:36 -0800 (PST) (envelope-from theob@za.uu.net) Received: from woody.ops.uunet.co.za (localhost.ops.uunet.co.za [127.0.0.1]) by woody.ops.uunet.co.za (8.12.6/8.12.6) with ESMTP id h0RDRZIk000096 for ; Mon, 27 Jan 2003 15:27:52 +0200 (SAST) (envelope-from theob@za.uu.net) Received: from localhost (theob@localhost) by woody.ops.uunet.co.za (8.12.6/8.12.6/Submit) with ESMTP id h0R66Hm5001610 for ; Mon, 27 Jan 2003 08:06:20 +0200 (SAST) X-Authentication-Warning: woody.ops.uunet.co.za: theob owned process doing -bs Date: Mon, 27 Jan 2003 08:06:17 +0200 (SAST) From: theob@za.uu.net X-X-Sender: theob@woody.ops.uunet.co.za To: freebsd-security@freebsd.org Subject: The way forward....... Message-ID: <20030127073039.U1537@woody.ops.uunet.co.za> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi List This is a question that I'm sure has been posted many a time and one that has lead to large debates/conversations, however since I'm new to the list and FreeBSD security I need to open it up again. Comming from a Cisco Pix background, being fairly new to security and being a huge fan and supporter of FreeBSD I would want to pursue a firewall that is based solely on stateful inspection, but here is my dilemma: On reading through the following links: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO and http://www.freebsd-howto.com/HOWTO/IPFilter-FreeBSD-HOWTO It seems that both offer stateful inspection, in http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO it says: "Using these options to make primitive stateful rulesets has been functionality that has been available in ipfirewall(4) for a long time, however, because of its very limited stateful capabilities, ipfirewall(4) has long been regarded as a stateless firewall, with IPFilter the stateful alternative" So then is it safe to assume that ipfilter is the best choice for statefulness? There is also mention that one would have a lot more functionality by using ipfw and adding stateful arguments to the rule sets, is this true? While ipfw may not be a true stateful firewall, one can still add in the functionality and therefore be able to set up and very secure firewall, but how secure would it be against a firewall based on the ipfilter way? In a discusion I found on google, it was stated that ipfw is marginally better for freebsd because it supports all the freebsd specific hacks, so then does that mean ipfilter does not cope well with freebsd specific hacks? I have however successfully setup ipfilter as per http://www.freebsd-howto.com/HOWTO/IPFilter-FreeBSD-HOWTO and it works well. Would it also be safe to assume that should one want to set up a firewall whose sole purpose is to block everything comming in and allow everything going out on a stateful level then ipfilter is the way to go, but if the firewall was to protect different services behind it like a mail server and a web server, would ipfw be the way to go? I guess what I'm trying to say is, on an average what do most people use? My feel is that ipfilter is the way to go, however since ipfw is FreeBSD specific then running a firewall on FreeBSD one should aim at ipfw as apposed to ipfilter...... Once again if this mail is opening up sore wounds or if people are tired of getting involved in this debate again then I apologise but like I said I'm a huge fan of FreeBSD and I really want to decide on which one to use so that I can give my full attention to it rather than be halfed minded between the two. Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message