socrel: You should be able to find the original post in the arcives, as I cliped it up some.
--- Daniel Pittman <[EMAIL PROTECTED]> wrote: > On 1 Jul 2004, Mike Mestnik wrote: > > --- [EMAIL PROTECTED] wrote: > >> > >> Looking for considered comparisions of firewalling on Linux and > FreeBSD. > > > > FreeBSD let's you respond to 'blocked' ports in ""exactly"" the same > way > > 'closed' ports are. Linux has higher moral standerdes as in the > > developers refuse to add this feature on there religious grounds. > > I am bemused by this claim, since it is untrue to the best of my > knowledge. Which protocols do you believe are unable to supply a full > protocol-compliant NAK? > > Possibly you mean to say: > > Linux does not support generating a protocol "closed port" > message that appears to originate from a device behind the > firewall > > Otherwise, you can certainly provide the standard protocol NAK response > for all the widely used protocols, to the best of my knowledge. > http://lists.netfilter.org/pipermail/netfilter/2000-May/003863.html It's a long outstanding feature request "TCP-RST" vs icmp-unreachable. Taken from: http://www.hmug.org/man/8/ipfw.html deny Discard packets that match this rule. The search termi- nates. drop is an alias for deny. reset TCP packets only. Discard packets that match this rule, and try to send a TCP reset (RST) notice. The search terminates. > >> I am especially interested in learning about ease of connection > >> tracking > > > > There is no *inner workings* documantation on ether side and it's > > difficult to see how each **workes** for a comparasen. > > Both systems are equally capable of "easily" providing an active > firewall using some form of connection tracking. This can be as trivial > as a single line in both, as I understand it. > I'm not realy sure if this is true of Linux, let me take a stab at it. iptables -A FORWARD -i $IFACE+ -m state --state\ ESTABLISHED,RELATED -j ACCEPT In FreeBSD it's something like... allow tcp from any to $Webserver_A http setup keep-state I would have to say the latter is much cleaner. The internal workings also seam tobe better... On mach a new rule to allow the next pkt in is created(In a kernel prival table). Maby this is just a psudo rule based on a connection tracking stuct, like what Linux seams to provide. This is all conjectour on my part, with out docs it's hard to say. I just like the religion... FreeBSD: We skip the whole CT bit and go right on to what is important. We see X1 the next thing we will see is X2. Is what we see X2? Linux: Lookes like alot of state for a simple concept. We see X1 this socket is now in state Y. We now see X2, is this valid for state Y? > >> and of getting packets into user space for analysis via scripts. > > > > I think Linux takes this one -hands down-. However I would allways > > caution, buffer overflows and other security riskes are allways > > involved. > > Depending on the OPs requirements, both platforms support packet capture > before the firewall, allowing you to bypass the firewall subsystem > entirely, and (relatively) portably, so you are not (so) tied to your > initial choice. > I think the state Linux provides will be valueble here. > > Sticking to the OS's own book keeping should be your goal. In Linux > > this means text files in sudo FS. > > I am not at all clear what you mean by as "sudo FS", but iptables > supports logging rule matches via the kernel log mechanism and, thus, > through syslog. > That's what I'm talking about, reading the state. "sudo FS" == "proc FS". > It also supports the "userspace log daemon" protocol, allowing > applications to be sent packets for review and logging. The 'ulogd' > package supports logging to files and databases out of the box, and > should be a good basis for adapting a Linux specific packet capture > solution. > Dose FreeBSD have this? > Daniel > -- > My definition of an expert in any field is a person who knows enough > about > what's really going on to be scared. > -- P.J. Plauger __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
