Re: Firewalls in a K-12

From: Michael Grice (grice@binc.net)
Date: 08/20/01 

Date: Mon, 20 Aug 2001 13:21:10 -0500
From: Michael Grice <grice@binc.net>
To: "Keith.Morgan" <Keith.Morgan@Terradon.com>
Subject: Re: Firewalls in a K-12
Message-ID: <20010820132110.H14270@ctg-mail.binc.net>

* Keith.Morgan <Keith.Morgan@Terradon.com> [010820 12:57] wrote:

[...]

> *bsd tends to be a little more stable where linux tends to be a little more
> "bleeding edge".
> Before I get flamed however, I'd like to state that I run several production
> firewalls on linux, using ipchains for filtering, impasqadm for network
> address translation, and free s/wan for vpn connectivity. I've had ZERO
> reliability problems on those boxen.

I made the mistake of deleting the original, but I would like to comment
on using Linux versus using OpenBSD for your firewall. I use both
operating systems for various things.

Kath's familiarity with Linux is important. Having said that, though,
I haven't found using OpenBSD much more difficult than using Linux
(although there is a bit of a learning curve). There's a much steeper
curve if you're switching from NT to any version of Unix, and I wouldn't
weight this too heavily in your decision.

The two arguments I would use against using Linux as a firewall are:
1. Linux has used different mechanisms for packet filtering in the 2.0,
2.2 and 2.4 kernel mechanisms. I just don't have the same confidence I
would with ipf on OpenBSD.
2. Hardening most Linux distributions is often a fair amount of work.
The folks who make Linux distributions have not done a good job to this
point of making the default installations secure (although they are
getting better). The OpenBSD folks do a good job of this.

Arguments against OpenBSD are:
1. Kath's lack of familiarity with OpenBSD.
2. OpenBSD will no longer include ipf as a part of its default
installation with the next version (over licensing issues). You should
be able to install ipf as a port or from source, however, although this
may complicate an upgrade from the current version. I would wait a while
before using OpenBSD's new packet filtering software.

At home, my OpenBSD firewall has performed well and required minimal
maintenance.
--Michael

Relevant Pages

  • Re: Which Linux OS best for beginner to setup as Web / Mail server / Internet sharer and firewall?
    ... >>I don't want to start a flame war, but in my experience OpenBSD is best ... >>boxes if you must run linux for applications. ... > linux inside the firewall? ... web server? ...
    (comp.os.linux.networking)
  • Re: Internet Sharing - Security
    ... Can you recommend the steps that I would need to take once I have ... OpenBSD 3.0 installed on my system. ... >>>inexpensive Linux 2.4.x firewall with Netfilter and ISC DHCP is fine. ...
    (comp.security.firewalls)
  • Re: The Stunning Failure of OpenBSD
    ... To make the long story short, request your boss to spend about US$100 from ... his petty account to get any router + Firewall + NAT + QoS, ... to replace your Linux router. ... OpenBSD proved to be more ...
    (comp.os.linux.security)
  • Re: Home Security.
    ... features necessary for a firewall (packet filtering and/or proxying). ... security, I'd recommend OpenBSD. ... Another option to try is Linux. ...
    (Security-Basics)
  • Re: Firewall
    ... > Mandrake 9.1, is there a built in firewall I can use? ... I know that all versions of linux have firewalls ... Check your software installations. ...
    (alt.linux)