RE: Firewall and FreeBSD ports
On Behalf Of RW I don't normally do this as Watson is usually less impressed when Holmes reveals his working, but the clues were there. He wrote: install software with ports (i.e, the /usr/ports collection.) and FTP to grab source files from mirrors If you combine that with crediting the poster with enough common sense to mention he was using a version before 6.2, then it seemed unlikely to be a problem with active FTP. BTW neither of us actually answered the question. I know I forgot as I was in a hurry. I'm pretty sure you didn't either, but I don't have the time to read all of your reply in detail. The answer is: enable outgoing tcp connections to port 21 and to all ports above 1023. Is there a way to set up any firewall so that while there is an active outgoing connection on port 21, allow any incoming connections from the same IP address? Bob McConnell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall and FreeBSD ports
I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? Thanks: John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true Chances are this will address the problem for you. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
On Fri, 10 Oct 2008 09:51:16 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true passive ftp has been the default for long time, fetch is called with the -p option. If you have access to an http-proxy that supports ftp requests over http, fetch can use that. Alternately you can probably avoid ftp altogether by setting: MASTER_SORT_REGEX?= ^http: in make.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote: On Fri, 10 Oct 2008 09:51:16 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true passive ftp has been the default for long time, fetch is called with the -p option. Let's give the users some actual detail, not terse one-liners which will induce more questions/confusion. First off, libfetch (which is what fetch(1)) uses) itself DOES NOT default to using FTP passive mode. You have to either pass the -p option to the fetch(1) binary, or you have to set the FTP_PASSIVE_MODE environment variable (which affects anything using libfetch). Secondly, the ports framework (not pkg_* tools!), specifically ports/Mk/bsd.port.mk, defines FETCH_ARGS with the -p argument to force passive mode. This will be used for things like make fetch. It *will not* be used for things like pkg_add -r or pkg_add ftp://...; The addition of the -p argument to FETCH_ARGS in ports/Mk/bsd.port.mk was applied to HEAD on 2006/09/20. HEAD at that time is what became FreeBSD 6.2. Of course, anyone updating their ports tree after that date would also get the change; I'm just pointing it out so people know what the actual date was when -p was added to the default argument list. Now let's expand a bit on FTP_PASSIVE_MODE, because I'm absolutely sure someone will try to argue that's also been turned on by default for a long time; I know how people are... :-) FTP_PASSIVE_MODE being set by default on login shells was induced by an addition to login.conf(5) back in late 2001 (around the time of RELENG_6). See revision 1.45 (not 1.44!) of src/etc/login.conf in cvsweb. But I'll remind people that login.conf only applies to login shells; logging in on the console, or logging in to an account via ssh [EMAIL PROTECTED]. Most people I know of *do not* SSH into their servers as root; they SSH in as themselves and use sudo. Some use su2, and some use su. Let's examine the behaviours: $ env | grep FTP FTP_PASSIVE_MODE=YES As you can see here, the machine I've SSH'd into as myself does apply login.conf's defaults. But... $ sudo -s # env | grep FTP # exit $ sudo -i # env | grep FTP # The above scenario (as root) fails, since the FTP_PASSIVE_MODE environment variable isn't being handed down from the login shell (my user account) to the root shell spawned by sudo[1]. su, on the other hand, does it a little differently: $ su Password: # env | grep FTP FTP_PASSIVE_MODE=YES And likewise, su -l behaves the same way. The OP did not disclose how he was installing ports. A lot of users think that packages == ports, so for all we know, he could be pkg_add'ing things while using sudo and running into this. If make fetch in an actual port is timing out, then he's either doing it on a machine with a ports tree prior to 2006/09/20 (see above), or his outbound pf rules are so strict that the machine is absurdly limited. I've advocated in another thread my displeasure for filtering outbound traffic *solely* because of this exact scenario. Network admins seem to think that oh, HTTP is always going to use port 80, and likewise, oh, FTP is always going to use ports 20-21. Bzzzt. Nothing stops a MASTER_SITE from being http://lelele.com:9382/. [1]: The problem with sudo can be addressed; FTP_PASSIVE_MODE needs to be added to the env_keep list in the default sudoers file. I know the port maintainer, so I'll take this up with him so that users (including myself) don't keep getting bit by forgetting to set FTP_PASSIVE_MODE after doing a sudo. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
problem: I can no longer install software with ports (i.e, the /usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from FTP or HTTP. if you have http proxy like squid in your network do export http_proxy=http://yourproxy:port export ftp_proxy=http://yourproxy:port ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Fwd: Firewall and FreeBSD ports
On Oct 10, 2008, at 2:41 PM, Jeremy Chadwick wrote: On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote: On Fri, 10 Oct 2008 09:51:16 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: On Fri, Oct 10, 2008 at 12:45:04PM -0400, John Almberg wrote: I just set up a new server with a very restricted PF configuration. One problem: I can no longer install software with ports (i.e, the / usr/ports collection.) I have to disable PF to do so. Obviously not a great solution. Am I correct in guessing that ports uses FTP to grab source files from mirrors? I'm trying to figure out the smallest number of ports (the TCP/IP kind) that I need to open in my firewall. I don't want to enable incoming FTP requests, but do want to allow outgoing ftp requests, I believe. Am I on the right track, here? See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true First off, this did solve the problem. Thank you, Jeremy. Now, as to the why... passive ftp has been the default for long time, fetch is called with the -p option. Let's give the users some actual detail, not terse one-liners which will induce more questions/confusion. First off, libfetch (which is what fetch(1)) uses) itself DOES NOT default to using FTP passive mode. You have to either pass the -p option to the fetch(1) binary, or you have to set the FTP_PASSIVE_MODE environment variable (which affects anything using libfetch). Secondly, the ports framework (not pkg_* tools!), specifically ports/Mk/bsd.port.mk, defines FETCH_ARGS with the -p argument to force passive mode. This will be used for things like make fetch. It *will not* be used for things like pkg_add -r or pkg_add ftp://...; The addition of the -p argument to FETCH_ARGS in ports/Mk/bsd.port.mk was applied to HEAD on 2006/09/20. HEAD at that time is what became FreeBSD 6.2. Of course, anyone updating their ports tree after that date would also get the change; I'm just pointing it out so people know what the actual date was when -p was added to the default argument list. Now let's expand a bit on FTP_PASSIVE_MODE, because I'm absolutely sure someone will try to argue that's also been turned on by default for a long time; I know how people are... :-) FTP_PASSIVE_MODE being set by default on login shells was induced by an addition to login.conf(5) back in late 2001 (around the time of RELENG_6). See revision 1.45 (not 1.44!) of src/etc/login.conf in cvsweb. But I'll remind people that login.conf only applies to login shells; logging in on the console, or logging in to an account via ssh [EMAIL PROTECTED]. Most people I know of *do not* SSH into their servers as root; they SSH in as themselves and use sudo. Some use su2, and some use su Root ssh access is disabled on this machine. I login as a normal user, and then use sudo. The only time I use su is when sudo does not work (another question for another day!) Let's examine the behaviours: $ env | grep FTP FTP_PASSIVE_MODE=YES As you can see here, the machine I've SSH'd into as myself does apply login.conf's defaults. But... $ sudo -s # env | grep FTP # exit $ sudo -i # env | grep FTP # H'mmm... yes. This is true on my machine, too. The above scenario (as root) fails, since the FTP_PASSIVE_MODE environment variable isn't being handed down from the login shell (my user account) to the root shell spawned by sudo[1]. su, on the other hand, does it a little differently: $ su Password: # env | grep FTP FTP_PASSIVE_MODE=YES And likewise, su -l behaves the same way. Yes... although I must say I'm confused by this behavior... In fact, it's the exact opposite of what I'd expect... from the su man pages -l Simulate a full login. The environment is discarded except for HOME, SHELL, PATH, TERM, and USER. HOME and SHELL are modified as above. USER is set to the target login. PATH is set to ``/bin:/usr/bin''. So why isn't the FTP environment variable discarded? The OP did not disclose how he was installing ports. A lot of users think that packages == ports, so for all we know, he could be pkg_add'ing things while using sudo and running into this. I believe I am using ports. In this case, I had just installed and configured PF (the first thing I do, now, when building a new machine.) I then wanted to install NTP: cd /usr/ports/net/ntp make config; make install clean This failed because the mirrors were not accessible. If make fetch in an actual port is timing out, then he's either doing it on a machine with a ports tree prior to 2006/09/20 (see above), or his outbound pf rules are so strict that the machine is absurdly limited. The machine has Production Release 7.0 My outbound PF rules are fairly loose. Inbound are very tight. This is going to be a database server with 1 user. It's going to be running one Ruby application that will accept new data and
Fwd: Firewall and FreeBSD ports
sh/bash: export FTP_PASSIVE_MODE=true Ah... because in passive mode, the client (my server) sets the data port, and my PF rules allow return data on the port used for the request. Okay... that makes sense, I think... (little by little, it sinks in...) -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
On Fri, 10 Oct 2008 11:41:40 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: On Fri, Oct 10, 2008 at 06:54:32PM +0100, RW wrote: On Fri, 10 Oct 2008 09:51:16 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: passive ftp has been the default for long time, fetch is called with the -p option. Let's give the users some actual detail, not terse one-liners which will induce more questions/confusion. Snip some facts used as a blunt instrument The OP did not disclose how he was installing ports. A lot of users think that packages == ports, I don't normally do this as Watson is usually less impressed when Holmes reveals his working, but the clues were there. He wrote: install software with ports (i.e, the /usr/ports collection.) and FTP to grab source files from mirrors If you combine that with crediting the poster with enough common sense to mention he was using a version before 6.2, then it seemed unlikely to be a problem with active FTP. BTW neither of us actually answered the question. I know I forgot as I was in a hurry. I'm pretty sure you didn't either, but I don't have the time to read all of your reply in detail. The answer is: enable outgoing tcp connections to port 21 and to all ports above 1023. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fwd: Firewall and FreeBSD ports
On Fri, 10 Oct 2008 16:16:29 -0400 John Almberg [EMAIL PROTECTED] wrote: On Oct 10, 2008, at 2:41 PM, Jeremy Chadwick wrote: See the fetch(1) man page. Try this first: sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true First off, this did solve the problem. Thank you, Jeremy. Now, as to the why... That's odd, because if you are running 7.x with a default settings, FTP_PASSIVE_MODE should be irrelevant to fetching distfiles - even if it's set to no. Do you have any FETCH_* variables defined? What happens if you cd to a port directory and type: make -V FETCH_CMD ? I believe I am using ports. In this case, I had just installed and configured PF (the first thing I do, now, when building a new machine.) I then wanted to install NTP: cd /usr/ports/net/ntp make config; make install clean This failed because the mirrors were not accessible. I just tried this port myself and it failed on all four servers configured in the Makefile, only succeeding on the fallback Freebsd server, (Freebsd's own cache for package building). Unless you turn-up something odd for FETCH_CMD, I think there's a good chance that you never had an FTP firewall problem in the first place, and that the file has simply been added to ftp.freebsd.org since you got the original failure. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall and FreeBSD ports
sh/bash: export FTP_PASSIVE_MODE=true csh: setenv FTP_PASSIVE_MODE true First off, this did solve the problem. Thank you, Jeremy. Now, as to the why... That's odd, because if you are running 7.x with a default settings, FTP_PASSIVE_MODE should be irrelevant to fetching distfiles - even if it's set to no. Do you have any FETCH_* variables defined? No What happens if you cd to a port directory and type: make -V FETCH_CMD ? [EMAIL PROTECTED]:~] cd /usr/ports/shells/zsh '[EMAIL PROTECTED]:zsh] make -V FETCH_CMD /usr/bin/fetch -ApRr [EMAIL PROTECTED]:zsh] I then wanted to install NTP: cd /usr/ports/net/ntp make config; make install clean This failed because the mirrors were not accessible. I just tried this port myself and it failed on all four servers configured in the Makefile, only succeeding on the fallback Freebsd server, (Freebsd's own cache for package building). Unless you turn-up something odd for FETCH_CMD, I think there's a good chance that you never had an FTP firewall problem in the first place, and that the file has simply been added to ftp.freebsd.org since you got the original failure. I just removed the FTP_PASSIVE_MODE variable from .bash_profile, logged out, and logged back in. I then tried to install another port and it installed without problem. -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
OpenBSD PF firewall in Freebsd
Hello all, Is PF installed with the base system in FreeBSD 6.1? I see that there is IPF, is it the same thing? I didn't find PF in the ports tree, so thats why i'm asking. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD PF firewall in Freebsd
On 2006-07-25 18:53, Ivan Levchenko [EMAIL PROTECTED] wrote: Hello all, Is PF installed with the base system in FreeBSD 6.1? I see that there is IPF, is it the same thing? I didn't find PF in the ports tree, so thats why i'm asking. Yes, PF is part of the base system in recent FreeBSD releases. To enable PF support, you can either load it as a module (kldload pf), or compile it into your custom kernel. The startup scripts of the system support loading the module, if necessary, so to use PF you can just enable it in `/etc/rc.conf', i.e. with something like: pf_rules=/etc/pf.conf pf_enable=YES pflog_enable=YES Then, all you have to do is tune your ruleset in `/etc/pf.conf', and off you go :) One tricky point that you should pay attention to is that when PF is used as a loadable kernel module you cannot use ALTQ for traffic shaping. To be able to use the ALTQ features, you have to build a custom kernel that includes both PF and ALTQ options. HTH, -- Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: OpenBSD PF firewall in Freebsd
yes OpenBSD pf is part of the FreeBSD base release. Read the firewall section of the handbook for instructions on how to activate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ivan Levchenko Sent: Tuesday, July 25, 2006 11:53 AM To: freebsd-questions@freebsd.org Subject: OpenBSD PF firewall in Freebsd Hello all, Is PF installed with the base system in FreeBSD 6.1? I see that there is IPF, is it the same thing? I didn't find PF in the ports tree, so thats why i'm asking. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD PF firewall in Freebsd
Thanks everybody, looks great.. thanks for the reply! On 7/25/06, fbsd [EMAIL PROTECTED] wrote: yes OpenBSD pf is part of the FreeBSD base release. Read the firewall section of the handbook for instructions on how to activate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ivan Levchenko Sent: Tuesday, July 25, 2006 11:53 AM To: freebsd-questions@freebsd.org Subject: OpenBSD PF firewall in Freebsd Hello all, Is PF installed with the base system in FreeBSD 6.1? I see that there is IPF, is it the same thing? I didn't find PF in the ports tree, so thats why i'm asking. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Application layer firewall on FreeBSD, is it possible ?
hey, Daniel Dvořák wrote: We are small wireless community and have shared access to internet for all members. Core members decided to control p2p traffic by default and to allow each person in individual way, after showing their knowledge of authorial low. :) I think you mean copyright law. But since many dc hubs, edonkey servers, bittorents web trackers and so on use dynamic not standard ports, how to control it ? I havent seen any way to control traffic for P2P apps reliably @ the protocol layer, u need to inspect it. Something like snort attached to your firewall, i guess ... though it'd be a reverse IDS (or a reverse IPS, intrusion prevention system, I've seen it called...) a quick search in ports for ids shows: /net/libnids /security/libprelude and other prelude related ports /security/snortms and other snort related ports Linux use l7-filter http://sourceforge.net/projects/l7-filter sourceforge.net/projects/l7-filter sourceforge freeware and , it is based on iptables, defination application protocols like ethereal project do. right - so something like applying ethereal rules to the output of tcpdump and updating the rules in realtime...mind you, many of these apps/protocols are extremely flexible, they'll change how they connect very fast, which will put the load on your firewall So, is there any way to do same application layer osi model firewall with FreeBSD gateway ? i dont see why not...though it's obvious I'm not sure how :) please share the answer when you find it :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Application layer firewall on FreeBSD, is it possible ?
Norberto Meijome wrote: after reading my own post i realised it wasn't too clear I havent seen any way to control traffic for P2P apps reliably @ the protocol layer, 'I havent seen any way to reliably control traffic for P2P apps by simply looking @ ports + IP protocol' u need to inspect it. you need to analyse the packets. Something like snort attached to your firewall, i guess ... though it'd be a reverse IDS (or a reverse IPS, intrusion prevention system, I've seen it called...) ... which would update/feed rules to the firewall / packet filter. aka proxy...maybe SOCKS would achieve this? (mind you, most p2p apps have settings for socks B ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Application layer firewall on FreeBSD, is it possible ?
Hi all, let me ask you for task how to control p2p applications and their traffic with dynamic ports from user´s commputers on gateway. We are small wireless community and have shared access to internet for all members. Core members decided to control p2p traffic by default and to allow each person in individual way, after showing their knowledge of authorial low. :) But since many dc hubs, edonkey servers, bittorents web trackers and so on use dynamic not standard ports, how to control it ? Linux use l7-filter http://sourceforge.net/projects/l7-filter sourceforge.net/projects/l7-filter sourceforge freeware and , it is based on iptables, defination application protocols like ethereal project do. So, is there any way to do same application layer osi model firewall with FreeBSD gateway ? Of course, I tried to find on web, I have not been successful in searching so far. If my question is not right in this mailing list, if my question is annoying here, so I am sorry. Dan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FW: Application layer firewall on FreeBSD, is it possible ?
... but you know, proxy is not what I am asking, proxy is not firewall. We do not need to restrict everything and all members. We like full routeable network with full access to IPv6 / IPv4 internet without any necessary action like configure proxy clients at all pc´s our members. We only want to deny only p2p applications by default for all pc´s regardless of used protocol/ports and to allow grantting access to p2p networks each members in individual way, because we have to prevent another letter from our ISP which was contacted by BSA that from our public IP ( from one member in private ip space ) ... traffic ... share ... violate ... authorial law. So of course it must be combination of IP and application osi model firewall. Gateway server should check all packets and their contents to decide if allowed or denied in fast way like l7-filter on Linux OS. So is it possible on FreeBSD OS ? Thanks Dan _ From: Daniel Dvořák [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 31, 2005 1:47 AM To: 'freebsd-questions@freebsd.org'; 'freebsd-ipfw@freebsd.org'; 'freebsd-pf@freebsd.org' Subject: Application layer firewall on FreeBSD, is it possible ? Hi all, let me ask you for task how to control p2p applications and their traffic with dynamic ports from user´s commputers on gateway. We are small wireless community and have shared access to internet for all members. Core members decided to control p2p traffic by default and to allow each person in individual way, after showing their knowledge of authorial low. :) But since many dc hubs, edonkey servers, bittorents web trackers and so on use dynamic not standard ports, how to control it ? Linux use l7-filter http://sourceforge.net/projects/l7-filter sourceforge.net/projects/l7-filter sourceforge freeware and , it is based on iptables, defination application protocols like ethereal project do. So, is there any way to do same application layer osi model firewall with FreeBSD gateway ? Of course, I tried to find on web, I have not been successful in searching so far. If my question is not right in this mailing list, if my question is annoying here, so I am sorry. Dan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
--On June 26, 2005 12:40:14 AM +0100 Alex Zbyslaw [EMAIL PROTECTED] wrote: Paul Schmehl wrote: --On June 25, 2005 8:42:24 AM +0200 mess-mate [EMAIL PROTECTED] wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. quick terminates the rule matching and forces the quick rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as accept or deny. No quick keyword is needed. Precisely. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
* Paul Schmehl [EMAIL PROTECTED] [2005-06-24 12:58:51 -0500]: I've been using pf for a few years now, and I've never had problems understanding the syntax or how it works (but I also never do NAT, so that might be the reason it seems easy to me.) Yes, pf is great, but doing NAT with pf is also just as easy to understand. It depends on what you are doing, but for most people using NAT is as easy turning on ip forwarding via sysctl and adding a single line to your pf.conf configuration file (nat on $ext_if...). Thomas -- N.J. Thomas [EMAIL PROTECTED] Etiamsi occiderit me, in ipso sperabo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
Giorgos Keramidas wrote: On 2005-06-26 00:40, Alex Zbyslaw [EMAIL PROTECTED] wrote: Paul Schmehl wrote: pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. [...] You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you'' Maybe I'm misreading something, or taking it out of context, but the statement ipfw does not support the quick keyword makes no sense to me. For me, it implies that somehow ipfw could (or even should) support the quick keyword, and that is nonsensical. The way ipfw rules work there is not only no need to support a quick keyword, but no point in supporting one because all relevant matches are already quick, by definition. Maybe I'm being overly pedantic, but if I had stumbled across this message in an archive search, and knew nothing about FreeBSD firewalls, I could easily take it to mean that ipfw was lacking a feature with respect to pf when, in fact, it wasn't. (There may be plenty of other reasons for picking one firewall or the other, but the lack of a quick keyword in ipfw isn't one of them). Am *I* making any more sense, now? --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On 2005-06-26 22:15, Alex Zbyslaw [EMAIL PROTECTED] wrote: Giorgos Keramidas wrote: On 2005-06-26 00:40, Alex Zbyslaw [EMAIL PROTECTED] wrote: pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. [...] You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you'' Maybe I'm misreading something, or taking it out of context, but the statement ipfw does not support the quick keyword makes no sense to me. [...] Am *I* making any more sense, now? Yes, thank you :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Khanh Cao Van Sent: Friday, June 24, 2005 9:33 AM To: freebsd-questions Subject: firewall on freebsd I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? FreeBSD has m0n0wall and it just works. For example, yesterday I setup a site to site VPN using two m0n0wall boxes and it took me less then 5 minutes to reconfigure, in production use systems, the boxes to do it. I think I spent more time trying to generate a suitable 3DES shared key then it did to reconfigure the boxes ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
...snip... | | Personally, I like the quick keyword of the OpenBSD firewall, (but not enough to bother | installing it.) | | Paul Schmehl ([EMAIL PROTECTED]) I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? mess-mate -- What I tell you three times is true. -- Lewis Carroll ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On Sat, Jun 25, 2005 at 08:42:24AM +0200, mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? I don't know if they're identical, but PF does support the 'quick' keyword on FreeBSD. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpf2HW9SdKtK.pgp Description: PGP signature
Re: firewall on FreeBSD
mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So if your OBSD is the latest or updated after 3.6, then you might have functionalities not supported yet on FBSD. The basic stuff is all the same, I don't think anyone could survive without 'quick', just as 'pass' and 'block' are supported on both platforms :-) Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On Saturday 25 June 2005 05:19 am, Erik Nørgaard wrote: mess-mate wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So if your OBSD is the latest or updated after 3.6, then you might have functionalities not supported yet on FBSD. The basic stuff is all the same, I don't think anyone could survive without 'quick', just as 'pass' and 'block' are supported on both platforms :-) Cheers, Erik Minor correction: pf is built into the kernel by default in FreeBSD 5.4. I think this started with FreeBSD 5.3. It may still be in the ports system; but that would be for use in FreeBSD 4* and earlier versions of 5*. Have a great weekend! Andrew Gould ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
Andrew L. Gould [EMAIL PROTECTED] wrote: | On Saturday 25 June 2005 05:19 am, Erik Nørgaard wrote: | mess-mate wrote: | I've a firewall/router/proxy with openbsd and think to replace it | with freebsd 5.4 | Do you mean freebsd's PF don't support the 'quick' keyword ?? | Thought PF on freebsd and openbsd was identical, isn't ? | | It's a port, pf on FBSD 5.4 is the same as pf on OBSD 3.6, AFAIK. So | if your OBSD is the latest or updated after 3.6, then you might have | functionalities not supported yet on FBSD. | | The basic stuff is all the same, I don't think anyone could survive | without 'quick', just as 'pass' and 'block' are supported on both | platforms :-) | | Cheers, Erik | | Minor correction: pf is built into the kernel by default in FreeBSD | 5.4. I think this started with FreeBSD 5.3. It may still be in the | ports system; but that would be for use in FreeBSD 4* and earlier | versions of 5*. | | Have a great weekend! | | Andrew Gould | The openbsd version is 3.5. Can i porting the pf config file to freebsd ? great weekend to. mess-mate -- There is a 20% chance of tomorrow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
--On June 25, 2005 8:42:24 AM +0200 mess-mate [EMAIL PROTECTED] wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
Paul Schmehl wrote: --On June 25, 2005 8:42:24 AM +0200 mess-mate [EMAIL PROTECTED] wrote: I've a firewall/router/proxy with openbsd and think to replace it with freebsd 5.4 Do you mean freebsd's PF don't support the 'quick' keyword ?? Thought PF on freebsd and openbsd was identical, isn't ? pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. quick terminates the rule matching and forces the quick rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as accept or deny. No quick keyword is needed. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On 2005-06-26 00:40, Alex Zbyslaw [EMAIL PROTECTED] wrote: Paul Schmehl wrote: pf on freebsd does support the quick keyword. The default firewall, ipfw, does not. This makes no sense to me. The two firewalls work very differently. In pf, each rule is always processed on every packet and the last rule matching determines the action. quick terminates the rule matching and forces the quick rule to be, in effect, the final rule (assuming the packet matched it). ipfw does not match every rule for every packet, rather is processes down the rules until the packet matches one with a terminating action such as accept or deny. No quick keyword is needed. You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you''? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
firewall on freebsd
I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? Thank for reading :) -- -- Cao Van Khanh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: firewall on FreeBSD
Which firewall you select to use should be based on your level of understanding of how information is moved across the internet. Ipfilter is best suited for people who are just learning about firewalling. PF is a little more automated and the rules are very close to IPF's. IPFW is for the advanced firewall users who have expert understanding of the internet. All 3 firewalls support stateful rules and are available in the 5.4 release. Best advice is start with Ipfilter and when you find out that you have needs which are not met by Ipfilter then move over to IPFW. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Khanh Cao Van Sent: Friday, June 24, 2005 9:33 AM To: freebsd-questions Subject: firewall on freebsd I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? Thank for reading :) -- -- Cao Van Khanh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on freebsd
On June 24, 2005 09:33 am, Khanh Cao Van wrote: I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? All three are well written and all three pretty much do the same thing. Some things you may want to consider when choosing which firewall product to use: IPFW is part of FreeBSD and only runs on FreeBSD. Filtering is implemented in the kernel, NAT is a user-land daemon. IPFilter is written to work with many operating systems (FreeBSD and Solaris are two examples). Filtering and NAT both run in the kernel. IPF was written for OpenBSD and later ported to FreeBSD. IPF came into existence because of disagreements between certain members of the OpenBSD team and the author of IPFilter. Filtering is done in the kernel and I believe NAT is also in-kernel. I have used both IPFW and IPFilter professionally. I prefer IPFW but only because I am more used to its filtering language. I have not found a sufficiently good technical reason for choosing one over the other. For anyone who wants to start the in-kernel vs user-land NAT argument, I've already been through it and there are valid arguments for both sides. So, I won't get into it again. -- Ean Kingston E-Mail: ean AT hedron DOT org URL: http://www.hedron.org/ I am currently looking for work. If you need competent system/network administration please feel free to contact me directly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on freebsd
On Friday 24 June 2005 10:59 am, Ean Kingston wrote: IPF was written for OpenBSD and later ported to FreeBSD. IPF came into existence because of disagreements between certain members of the OpenBSD team and the author of IPFilter. Filtering is done in the kernel and I believe NAT is also in-kernel. The OpenBSD packet filter is known as pf, not ipf. It exists in FreeBSD as pf. I have to say that I find it has some very useful features, though they are outside the mainstream firewall feature set. For instance, authpf. When you log into the firewall (usually via ssh), if the account's login type shell is authpf, a special set of firewall rules get loaded for the IP address the client is connecting from. I have used pf and ipfw, and they're both fine. If I had to pick, I'd choose pf because I like that it uses a seperate configuration file, rather than a shell script to load its rules. I'm not an expert on either. Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: firewall on freebsd
I have been using ipfw for quite some time and I love it. The only issues I have with it are on the NAT side. Without a tool to modify the current nat rules, I can not change them dynamically without editing my config file then doing something like... killall -9 natd ; sleep 2 ; /sbin/natd -f /etc/natd.conf to reinitialize it. Also natd is resource intensive. I have a PII 266 (not exactly a monster) and natd chews up 20-30 percent of my cpu during the day while nating about 3Mb/sec of traffic. I am planning on switching to pf and implementing a load balanced pair of firewalls using carp and pfsync. I hope that using an in-kernel nat will help performance and give me better control while adding/removing rules. -- Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Khanh Cao Van Sent: Friday, June 24, 2005 8:33 AM To: freebsd-questions Subject: firewall on freebsd I'm going to learn about the freebsd firewall . In the handbook list some of them and I could not find out what is the best . So I decided to post here hoping to gain some of your opinion and experience . I would like to know what firewall was the most wanted ? I have used Linux several months and IP tables was a good statefull firewall . What about in freeBSD ? Thank for reading :) -- -- Cao Van Khanh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
On 2005-06-24 10:31, fbsd_user [EMAIL PROTECTED] wrote: Which firewall you select to use should be based on your level of understanding of how information is moved across the internet. Ipfilter is best suited for people who are just learning about firewalling. PF is a little more automated and the rules are very close to IPF's. True. IPFW is for the advanced firewall users who have expert understanding of the internet. Blatantly false. All 3 firewalls support stateful rules and are available in the 5.4 release. Best advice is start with Ipfilter and when you find out that you have needs which are not met by Ipfilter then move over to IPFW. IPFW or PF is fine for starting too. The choise of the best firewall is, these days, more often than not an issue of which one matches the specific application and the taste of the one who is going to set it up, i.e. * DUMMYNET is a very nice bandwidth limiting shaping tool, which may some times lead to choosing IPFW. * On the other hand, PF/ALTQ may be used to do similar things, so some users will obviously prefer this set of tools for other reasons (for instance, because the like the ruleset style better). * IP Filter, is almost obsoleted by PF on FreeBSD, but it's still one of the most portable firewalls out there (I use it on Solaris all the time, for example). There isn't a best firewall for all cases. They all have their respective strengths and/or weaknesses. === To the original poster === I say, try them all out and choose the one _YOU_ prefer, for the reasons that are important in _YOUR_ setup. - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on freebsd
On 2005-06-24 10:59, Ean Kingston [EMAIL PROTECTED] wrote: For anyone who wants to start the in-kernel vs user-land NAT argument, I've already been through it and there are valid arguments for both sides. So, I won't get into it again. Agreed. Most of the people who use FreeBSD in SOHO installations (small office, home office), and have far less than dozens of systems behind a NAT-ting FreeBSD system will very rarely have a chance to notice *ANY* difference between userlevel vs. in-kernel NAT. This top snapshot: http://keramida.serverhive.com/pixelshow-top.txt is from a relatively recent demo-party where ipfw/natd were used in a gateway of more than 100 systems madly downloading files from each other and from the wide Internet. Notice the 97% idle cpu percentage :-) If FreeBSD can handle NAT, packet forwarding, and general connectivity for more than 100 systems and still sit 97% of the time waiting for something interesting to happen, then I'd be surprised if SOHO users with less than 10-15 systems will notice anything :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: firewall on FreeBSD
--On June 24, 2005 5:31:13 PM +0100 [EMAIL PROTECTED] wrote: On Friday 24 June 2005 15:31, fbsd_user wrote: Which firewall you select to use should be based on your level of understanding of how information is moved across the internet. Ipfilter is best suited for people who are just learning about firewalling. PF is a little more automated and the rules are very close to IPF's. IPFW is for the advanced firewall users who have expert understanding of the internet. All 3 firewalls support stateful rules and are available in the 5.4 release. Best advice is start with Ipfilter and when you find out that you have needs which are not met by Ipfilter then move over to IPFW. Is this right? If it is, then I'm a lot smarter than I give myself credit for. The first firewall I ever used was ipchains. The I used iptables, but I never learned much about either because Linux obscures the config (unless you're doing something fancy, you can run setup on the cli, click a few check boxes and you're done. When I decided to switch a server over to FBSD, I had to read the man page to understand how pf worked, because there *was* no setup to run. I've been using pf for a few years now, and I've never had problems understanding the syntax or how it works (but I also never do NAT, so that might be the reason it seems easy to me.) I started off using IPFW, and found it no harder or easier than ipfilter, which I am using now. Can't remember the reason I changed to ipfilter, think it might have something to do with being easier to use with ipnat, but I am pretty happy with it. Is there anything that ipfw does better than ipfilter to make it preferable? The only thing I would say about firewalls is, know what you're doing and do it at the console. There's nothing like having to get dressed and drive 40 miles to fix a box because you screwed up the firewall config will working remotely to impress upon you the need to work at the console. :-) Personally, I like the quick keyword of the OpenBSD firewall, (but not enough to bother installing it.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Hardware vs software firewall on FreeBSD
I'm upgrading the hardware on my webserver. It will run FreeBSD 4.9. I need to decide whether to use a hardware firewall (Cisco) or use ipfw, ipf, pf, etc. The hardware firewall will increase my monthly server rental bill by almost 30%. So I'm wondering if the significant extra cost is worth it. What kind of performance hit will result from using ipfw, ipf or pf? I would like to avoid the extra expense of the hardware firewall. Can anyone offer an opinion on this matter? Any good reasons to use one over the other? Mark L. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Hardware vs software firewall on FreeBSD
On Thu, 12 Feb 2004 12:37:45 -0800 [EMAIL PROTECTED] wrote: I'm upgrading the hardware on my webserver. It will run FreeBSD 4.9. I need to decide whether to use a hardware firewall (Cisco) or use ipfw, ipf, pf, etc. The hardware firewall will increase my monthly server rental bill by almost 30%. So I'm wondering if the significant extra cost is worth it. What kind of performance hit will result from using ipfw, ipf or pf? AFAIK you will not get any noticeable performance hit from any of those. I would like to avoid the extra expense of the hardware firewall. Can anyone offer an opinion on this matter? Any good reasons to use one over the other? I personally don't trust hardware firewalls any more than I trust a software firewall. Problems can occur in either and software is easier to update and ect. I really don't see how it makes a dif if something is written in Verilog or C or whatever. The only dif is one is easier to back work than the other. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]