OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Cy Schubert - ITSD Open Systems Group (Cy.Schubertuumail.gov.bc.ca)
Date: Wed Mar 07 2001 - 20:28:48 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    In message <5.0.2.1.0.20010307181400.0336ed18pop.schulte.org>,
    Christopher Sch
    ulte writes:
    > At 09:11 PM 3/7/2001 -0300, Fernando Schapachnik wrote:
    > >On the other hand ipfw can do traffic shaping. On FreeBSD you can
    > >build an "invisible" firewall with ipfw doing bridging.
    >
    > ipfw + dummynet + bridging is exactly what I use for my firewall. It's
    > fast, stable, easy to manage, powerful and I'd recommend it to anyone
    > wanting to secure a small network using FreeBSD and 2 NICs.
    >
    > Ipfw does has the ability to keep a tcp states. I can't speak for NAT or
    > portability. I have used ipf on at least OpenBSD and Solaris. It probably
    > can be compiled on many more.
    >
    > ipfw is beautiful - two nics just hop into promisc mode. One connects to
    > the 'internal' network, the other to possibly a router or public
    > switch. Then using the firewall/shaping rules defined with ipfw traffic is
    > transparently passed (or dropped/rejected) from the external network to
    > machines on the inside via software bridging.
    >
    > Not to mention, you can do sophisticated traffic limiting at the same time.

    On the flip side IP Filter gives FTP, RCMD, and Real Audio proxies.
    The last two are inconsequential, unless you firewall your workstation,
    like I do at work, and perform Kerberos rsh (krsh) to systems you
    manage.

    The FTP proxy allows you to support PORT (active) FTP through your
    firewall. Not all FTP clients support passive FTP. Not all users are
    smart enough to remember to use passive FTP.

    Its been reported that the state engine in IP Filter is more mature and
    more restrictive because of the checks it does for TCP packets being
    within the TCP window. I'm not sure whether IPFW does the same.

    I have built firewalls based on IP Filter for filtering and NAT,
    specifically using IPF's FTP proxy, while using IPFW's dummynet.

    Both IPFW and IPF are excellent firewalls. The beauty of FreeBSD,
    unlike the other operating systems, is that you get BOTH. Two
    different tools in your toolbox for two slightly different jobs.

    Regards, Phone: (250)387-8437
    Cy Schubert Fax: (250)387-5766
    Team Leader, Sun/Alpha Team Internet: Cy.Schubertosg.gov.bc.ca
    Open Systems Group, ITSD, ISTA
    Province of BC

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message