Re: Firewall confusions

From: Matt Pearce (matt_at_00pearceits.com.au)
Date: 07/01/05

• Next message: Michel Talon: "Re: Firewall confusions"
• Previous message: jpd: "Re: FreeBSD gateways"
• In reply to: Keve Nagy: "Firewall confusions"
• Next in thread: Michel Talon: "Re: Firewall confusions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 01 Jul 2005 21:02:09 +1000

Keve Nagy wrote:

> The confusion:
> While reading man pages, handbook, web articles and pdfs, I came across
> 3 names which messed up my brain.
> IPF, IPFW and PF.
> Older documents usually refer to IPF and IPFW being used together, while
> some new readings say that OpenBSD's PF is the way to go today.

My personal experience is that IPFW is a PITA for anyone new to learn,
IPF I found to be reasonably clear and easy to use with lots of help
available from various web pages etc. That said PF is a better firewall
IMO its just a little harder to get help with and took me longer to
learn when moving from IPF to PF.

> The questions:
> With respect to the facts above, which is the recommended way to go?
> Which one (or two) should I use out of IPF, IPFW and PF?
> Or should I use all three of them?
> (can all three of them be used and would that make any sense at all?)

If you are patient use PF, only use one at a time unless you are using
more than one for a specific purpose, i.e. combining PF/IPF and IPFW for
IPFW's ToS capabilites only.

> Knowing that I am inexperienced in firewall configurations, is there a
> good guide that explains (or rather suggests) what and how to do to get
> a decent level of security?

The best bit of reading you can have for PF is this site:-
http://www.openbsd.org/faq/pf/ .

If you want an example this should be sufficient for you to see how
things work and you can probably just modify it to suit. This is
definately the easiest way to start if you have no/little experience:-
http://www.profx.net/pf.conf

Hope this help and good luck.

Matt.

• Next message: Michel Talon: "Re: Firewall confusions"
• Previous message: jpd: "Re: FreeBSD gateways"
• In reply to: Keve Nagy: "Firewall confusions"
• Next in thread: Michel Talon: "Re: Firewall confusions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] ... But why IPFW? ... IPF is *BSD native wall. ... > hosts.allow file on a FreeBSD Production Server? ... but with no Firewall yet. ... (FreeBSD-Security) Re: dummynet module? ... because ipfw sorts by the explicit rule numbers you supplied, ... function to IPF if you're still concerned about your ipfw rules ... login over the net, or that the system hangs and you can't login from ... check the logs from the console to see what's denying the packets. ... (comp.unix.bsd.freebsd.misc) Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] ... They both exist as part of the base FreeBSD ... both ipf and ipfw are "native" to FreeBSD. ... > native firewall, ... (FreeBSD-Security) Re: The way forward ... > Pf seems to scale better than netfilter/iptables, ipfw, or ipf. ... > basically "Why would we need another packet filter?" ... FreeBSD randomizes ISNs, ... (FreeBSD-Security) Re: /etc/rc.firewall fixes ... > I would like to see configuration code for ipfw AND ipfilter ... ipf got its hooks before 4.2-RELEASE. ... never make it into ipfilter itself. ... This enables you to do some rc.firewall like things ... (FreeBSD-Security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint