From owner-freebsd-hackers@FreeBSD.ORG Tue Aug 5 09:26:41 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 884C81065671 for ; Tue, 5 Aug 2008 09:26:41 +0000 (UTC) (envelope-from tim@clewlow.org) Received: from clewlow.org (clewlow.org [210.215.149.194]) by mx1.freebsd.org (Postfix) with ESMTP id C381D8FC1F for ; Tue, 5 Aug 2008 09:26:40 +0000 (UTC) (envelope-from tim@clewlow.org) Received: from 192.168.1.100 (localhost [127.0.0.1]) by clewlow.org (Postfix) with ESMTP id 1F12E1C081D; Tue, 5 Aug 2008 19:26:38 +1000 (EST) Received: from 192.168.1.10 (SquirrelMail authenticated user tim) by 192.168.1.100 with HTTP; Tue, 5 Aug 2008 19:26:38 +1000 (EST) Message-ID: <53720.192.168.1.10.1217928398.squirrel@192.168.1.100> In-Reply-To: <20080805080520.GB3063@rebelion.Sisis.de> References: <20080805080520.GB3063@rebelion.Sisis.de> Date: Tue, 5 Aug 2008 19:26:38 +1000 (EST) From: "Tim Clewlow" To: "Matthias Apitz" User-Agent: SquirrelMail/1.4.13 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-hackers@freebsd.org Subject: Re: Fwd: Q: case studies about scalable, enterprise-class firewall w/ IPFilter X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2008 09:26:41 -0000 > > Hello, > > I've posted the attached mail in the IP Filter mailing list; the > only > responses have been bad configured vacation replies :-( > > someone from freebsd-hackers has an idea? thanks in advance > > matthias > > ----- Forwarded message from Matthias Apitz ----- > > From: Matthias Apitz > Date: Sun, 3 Aug 2008 08:24:15 +0200 > To: IP Filter > Subject: Q: case studies about scalable, enterprise-class firewall > w/ IPFilter > > > Hello, > > We're currently protecting our network (and as well some FreeBSD > laptops > standalone) with IPFilter... I'm wondering if there are any case > studies > about scalable, enterprise-class firewall solutions, redundancy with > state-full failover, and application-level inspection, and all that > a > like, based on IPFilter and FreeBSD; > > thanks in advance for any pointers > > matthias > -- Hi there, I have never used ipfilter, but I do use pf, and it can do state-full failover, or firewall redundancy, with CARP (the Common Address Redundancy Protocol) and pfsync. If there is an equivalent syncing program, eg ipfiltersync then you could use that with CARP to allow an ipfilter firewall to fail-over with full state tables intact. Also, you can inspect all manner of status info and tables for a running firewall with pfctl, there must be an equivalent for ipfilter. If you are looking for general info about building a firewall, eg tcp and ip headers, plus icmp and voip and other protocols, then I would recommend the following tutorial, it has a huge amount of information - it is a lot more than just a tutorial on iptables. http://iptables-tutorial.frozentux.net/iptables-tutorial.html Lastly, the "OpenBSD PF Packet Filter Book" has been very useful for me, but I use pf where possible - I think it is the easiest, and paradoxically the most powerful of all packet filters, but that is my personal opinion, YMMV. Cheers, Tim.