Re: ipfw or ipf?
From: Cy Schubert - ITSD Open Systems Group (Cy.Schubert@uumail.gov.bc.ca)
Date: 03/08/01
- Next message: Craig Cowen: "ipmon via syslog"
- Previous message: Jim Flowers: "Re: vpn vs natd"
- In reply to: Christopher Schulte: "Re: ipfw or ipf?"
- Next in thread: Arjan de Vet: "Re: ipfw or ipf?"
- Reply: Arjan de Vet: "Re: ipfw or ipf?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Christopher Schulte <christopher@schulte.org> Date: Wed, 07 Mar 2001 18:28:48 -0800
In message <5.0.2.1.0.20010307181400.0336ed18@pop.schulte.org>,
Christopher Sch
ulte writes:
> At 09:11 PM 3/7/2001 -0300, Fernando Schapachnik wrote:
> >On the other hand ipfw can do traffic shaping. On FreeBSD you can
> >build an "invisible" firewall with ipfw doing bridging.
>
> ipfw + dummynet + bridging is exactly what I use for my firewall. It's
> fast, stable, easy to manage, powerful and I'd recommend it to anyone
> wanting to secure a small network using FreeBSD and 2 NICs.
>
> Ipfw does has the ability to keep a tcp states. I can't speak for NAT or
> portability. I have used ipf on at least OpenBSD and Solaris. It probably
> can be compiled on many more.
>
> ipfw is beautiful - two nics just hop into promisc mode. One connects to
> the 'internal' network, the other to possibly a router or public
> switch. Then using the firewall/shaping rules defined with ipfw traffic is
> transparently passed (or dropped/rejected) from the external network to
> machines on the inside via software bridging.
>
> Not to mention, you can do sophisticated traffic limiting at the same time.
On the flip side IP Filter gives FTP, RCMD, and Real Audio proxies.
The last two are inconsequential, unless you firewall your workstation,
like I do at work, and perform Kerberos rsh (krsh) to systems you
manage.
The FTP proxy allows you to support PORT (active) FTP through your
firewall. Not all FTP clients support passive FTP. Not all users are
smart enough to remember to use passive FTP.
Its been reported that the state engine in IP Filter is more mature and
more restrictive because of the checks it does for TCP packets being
within the TCP window. I'm not sure whether IPFW does the same.
I have built firewalls based on IP Filter for filtering and NAT,
specifically using IPF's FTP proxy, while using IPFW's dummynet.
Both IPFW and IPF are excellent firewalls. The beauty of FreeBSD,
unlike the other operating systems, is that you get BOTH. Two
different tools in your toolbox for two slightly different jobs.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Craig Cowen: "ipmon via syslog"
- Previous message: Jim Flowers: "Re: vpn vs natd"
- In reply to: Christopher Schulte: "Re: ipfw or ipf?"
- Next in thread: Arjan de Vet: "Re: ipfw or ipf?"
- Reply: Arjan de Vet: "Re: ipfw or ipf?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
