Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 5 Aug 2008 19:26:38 +1000 (EST)
From:      "Tim Clewlow" <tim@clewlow.org>
To:        "Matthias Apitz" <matthias.apitz@oclc.org>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: Fwd: Q: case studies about scalable, enterprise-class firewall w/ IPFilter
Message-ID:  <53720.192.168.1.10.1217928398.squirrel@192.168.1.100>
In-Reply-To: <20080805080520.GB3063@rebelion.Sisis.de>
References:  <20080805080520.GB3063@rebelion.Sisis.de>

next in thread | previous in thread | raw e-mail | index | archive | help

>
> Hello,
>
> I've posted the attached mail in the IP Filter mailing list; the
> only
> responses have been bad configured vacation replies :-(
>
> someone from freebsd-hackers has an idea? thanks in advance
>
> 	matthias
>
> ----- Forwarded message from Matthias Apitz <guru@UnixArea.de> -----
>
> From: Matthias Apitz <guru@UnixArea.de>
> Date: Sun, 3 Aug 2008 08:24:15 +0200
> To: IP Filter <ipfilter@coombs.anu.edu.au>
> Subject: Q: case studies about scalable, enterprise-class firewall
> w/ IPFilter
>
>
> Hello,
>
> We're currently protecting our network (and as well some FreeBSD
> laptops
> standalone) with IPFilter... I'm wondering if there are any case
> studies
> about scalable, enterprise-class firewall solutions, redundancy with
> state-full failover, and application-level inspection, and all that
> a
> like, based on IPFilter and FreeBSD;
>
> thanks in advance for any pointers
>
> 	matthias
> --

Hi there, I have never used ipfilter, but I do use pf, and it can do
state-full failover, or firewall redundancy, with CARP (the Common
Address Redundancy Protocol) and pfsync. If there is an equivalent
syncing program, eg ipfiltersync then you could use that with CARP
to allow an ipfilter firewall to fail-over with full state tables
intact.

Also, you can inspect all manner of status info and tables for a
running firewall with pfctl, there must be an equivalent for
ipfilter.

If you are looking for general info about building a firewall, eg
tcp and ip headers, plus icmp and voip and other protocols, then I
would recommend the following tutorial, it has a huge amount of
information - it is a lot more than just a tutorial on iptables.

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Lastly, the "OpenBSD PF Packet Filter Book" has been very useful for
me, but I use pf where possible - I think it is the easiest, and
paradoxically the most powerful of all packet filters, but that is
my personal opinion, YMMV.

Cheers, Tim.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53720.192.168.1.10.1217928398.squirrel>