Date: Mon, 27 Jan 2003 15:31:02 +0200 (SAST) From: theob@za.uu.net To: freebsd-security@freebsd.org Subject: The way forward..... Message-ID: <20030127152950.U446@woody.ops.uunet.co.za>
next in thread | raw e-mail | index | archive | help
Hi List This is a question that I'm sure has been posted many a time and one that has lead to large debates/conversations, however since I'm new to the list and FreeBSD security I need to open it up again. Comming from a Cisco Pix background, being fairly new to security and being a huge fan and supporter of FreeBSD I would want to pursue a firewall that is based solely on stateful inspection, but here is my dilemma: On reading through the following links: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO and http://www.freebsd-howto.com/HOWTO/IPFilter-FreeBSD-HOWTO It seems that both offer stateful inspection, in http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO it says: "Using these options to make primitive stateful rulesets has been functionality that has been available in ipfirewall(4) for a long time, however, because of its very limited stateful capabilities, ipfirewall(4) has long been regarded as a stateless firewall, with IPFilter the stateful alternative" So then is it safe to assume that ipfilter is the best choice for statefulness? There is also mention that one would have a lot more functionality by using ipfw and adding stateful arguments to the rule sets, is this true? While ipfw may not be a true stateful firewall, one can still add in the functionality and therefore be able to set up and very secure firewall, but how secure would it be against a firewall based on the ipfilter way? In a discusion I found on google, it was stated that ipfw is marginally better for freebsd because it supports all the freebsd specific hacks, so then does that mean ipfilter does not cope well with freebsd specific hacks? I have however successfully setup ipfilter as per http://www.freebsd-howto.com/HOWTO/IPFilter-FreeBSD-HOWTO and it works well. Would it also be safe to assume that should one want to set up a firewall whose sole purpose is to block everything comming in and allow everything going out on a stateful level then ipfilter is the way to go, but if the firewall was to protect different services behind it like a mail server and a web server, would ipfw be the way to go? I guess what I'm trying to say is, on an average what do most people use? My feel is that ipfilter is the way to go, however since ipfw is FreeBSD specific then running a firewall on FreeBSD one should aim at ipfw as apposed to ipfilter...... Once again if this mail is opening up sore wounds or if people are tired of getting involved in this debate again then I apologise but like I said I'm a huge fan of FreeBSD and I really want to decide on which one to use so that I can give my full attention to it rather than be halfed minded between the two. Thanks _______________________________________ Theo Bierman - theob@za.uu.net CIT Team - UUNET SA, a WorldCom Company http://www.uunet.co.za --------------------------------------- The contents of this e-mail and any accompanying documentation is confidential and any use thereof, in whatever form, by anyone other than the addressee for whom it is intended, is strictly prohibited. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030127152950.U446>