Date: Tue, 5 Aug 2008 19:26:38 +1000 (EST) From: "Tim Clewlow" <tim@clewlow.org> To: "Matthias Apitz" <matthias.apitz@oclc.org> Cc: freebsd-hackers@freebsd.org Subject: Re: Fwd: Q: case studies about scalable, enterprise-class firewall w/ IPFilter Message-ID: <53720.192.168.1.10.1217928398.squirrel@192.168.1.100> In-Reply-To: <20080805080520.GB3063@rebelion.Sisis.de> References: <20080805080520.GB3063@rebelion.Sisis.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Hello, > > I've posted the attached mail in the IP Filter mailing list; the > only > responses have been bad configured vacation replies :-( > > someone from freebsd-hackers has an idea? thanks in advance > > matthias > > ----- Forwarded message from Matthias Apitz <guru@UnixArea.de> ----- > > From: Matthias Apitz <guru@UnixArea.de> > Date: Sun, 3 Aug 2008 08:24:15 +0200 > To: IP Filter <ipfilter@coombs.anu.edu.au> > Subject: Q: case studies about scalable, enterprise-class firewall > w/ IPFilter > > > Hello, > > We're currently protecting our network (and as well some FreeBSD > laptops > standalone) with IPFilter... I'm wondering if there are any case > studies > about scalable, enterprise-class firewall solutions, redundancy with > state-full failover, and application-level inspection, and all that > a > like, based on IPFilter and FreeBSD; > > thanks in advance for any pointers > > matthias > -- Hi there, I have never used ipfilter, but I do use pf, and it can do state-full failover, or firewall redundancy, with CARP (the Common Address Redundancy Protocol) and pfsync. If there is an equivalent syncing program, eg ipfiltersync then you could use that with CARP to allow an ipfilter firewall to fail-over with full state tables intact. Also, you can inspect all manner of status info and tables for a running firewall with pfctl, there must be an equivalent for ipfilter. If you are looking for general info about building a firewall, eg tcp and ip headers, plus icmp and voip and other protocols, then I would recommend the following tutorial, it has a huge amount of information - it is a lot more than just a tutorial on iptables. http://iptables-tutorial.frozentux.net/iptables-tutorial.html Lastly, the "OpenBSD PF Packet Filter Book" has been very useful for me, but I use pf where possible - I think it is the easiest, and paradoxically the most powerful of all packet filters, but that is my personal opinion, YMMV. Cheers, Tim.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53720.192.168.1.10.1217928398.squirrel>