Date: Sun, 1 Jul 2001 23:00:16 +0200 From: "Alfatrion" <alfatrion@cybertron.tmfweb.nl> To: "Fernando Gleiser" <fgleiser@cactus.fi.uba.ar>, "Louis LeBlanc" <leblanc+freebsd@acadia.ne.mediaone.net> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: Firewall: ipfw? ipfilter? dhcp lease? Message-ID: <002e01c10271$21fc08d0$231fa8c0@dekruijff.nl> References: <20010701161952.A16304-100000@cactus.fi.uba.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Hey all. FreeBSD newbie/convert in training here. > > Couple questions regarding firewalls. > > > > First some background on what I am doing now (meaning I have enough > > knowledge to get by on my current setup) > > > > I am currently using RH6.2 with ipchains for my firewall. I am > > blocking and allowing different ports from all or just a subnet (all > > open from my work subnet, most closed from all else, that kind of > > thing). I also have it set up with dhcpcd (pump doesn't do it for me) > > so that when I get a new dhcp lease, the firewall is reinitialized by > > executing the rc.firewall script with each dhcp lease. > > > > Anyway, I have just finally gotten around to getting a new (for me) > > machine at home to run FreeBSD on, and I want to set that up as my > > front end machine (hooked directly to the cable modem, running the > > firewall, masquerading, maybe doing nat, etc.), but I also want to > > make sure the firewall will stay up with the current dhcp lease. > > > > Anyway, I have been reading about firewalls on the list for a while, > > and am wondering about the differences between using ipfilter and > > ipfw. I take it FreeBSD is not using ipchains, so I won't go there. > > > > I assume there is some flexibility/security/simplicity tradeoff > > between the two? Seems logical to me if so. Is one easier to > > configure? What about resource requirements? (not that that would be > > an issue, but I'm curious.) > > > > I am well aware that there are books available on the subject, a > > couple are plugged right in the /etc/rc.firewall script, but I want to > > make a decision on the approach first, and pick the book or books, web > > resources, etc. that most apply to my decision (I already have plenty > > of books that "don't apply") > > > > Also, are there any online tools to help set up such a firewall? I > > have been using an ipchains firewall I generated with Rob Ziegler's > > excellent Linux Firewall Design Tool at > > http://www.linux-firewall-tools.com/linux/firewall/index.html > > And yes, it is excellent! Unfortunately, I don't think he has gotten > > too much into the FreeBSD world. Maybe I'll scout his site again > > later, or better yet, email him. > > > > BTW, some of you may have noticed that I had asked about 5.0-CURRENT > > recently, but I will be running 4.3-STABLE on this machine. I am > > (or was) putting -CURRENT on an extra desktop I have 'absconded' at > > work for experimentation. Just an FYI. > > > > Any and all useful commentary on the subject is more than welcome and > > much appreciated. I hope I have not strayed too far from list > > etiquette in terms of being both complete and concise, but please > > forgive me if I have, and feel free to let me know so I can correct > > any errant behavior, as I expect to have a lot of questions for the > > list in the future :). > > > Both ipf and ipfw are roughly equivalent, and each one has its strenghts and > weaknesses. For me, they are way better (better syntax, better features, > easier to configure) than IP chains. > > I am using IP Filter, because it suits my particular needs better. > I use IPfilter instead of ipfw because: > > 1. compatibility with other OS (solaris, other bsd) > 2. I like the stateful inspection features of ipf better. > 3. Rule grouping. You can make the rules tree shaped instead of linear, > speeding up the rule matching. > 4. I prefer ipnat over natd. > > On the other hand with ipfw you can: > > 1. Use a traffic shaper (dummynet). > 2. Select where you want to NAT (at the beginning, at the end, somewhere in > between) > > You can even use them both at the same time (I use ipf for NAT/filtering > and ipfw for dummynet). > > The ipf howto is at http://www.obfuscation.org/ipf/ipf-howto.txt > The ipfw howto is at http://www.mostgraveconcern.com/freebsd/ipfw.html > > The IP Filter mailing list archives are at http://false.net/ipfilter > > My advice is try them both, and pick the one that fits your needs better. > > Hope this helps > You number three reson is also posible with IPFW Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002e01c10271$21fc08d0$231fa8c0>