RE: Advice on which FreeBSD firewall package to choose.
Thanks to everyone who responded. It looks like pfsense will do the job nicely. Cheers, Brett. -Original Message- From: Eric [mailto:[EMAIL PROTECTED] Sent: Friday, 5 January 2007 10:52 a.m. To: Brett Davidson Cc: [EMAIL PROTECTED] Subject: Re: Advice on which FreeBSD firewall package to choose. Brett Davidson wrote: Before I start, I'm familiar with IPTables from Linux but am wanting to use FreeBSD as a firewalling router after seeing it in action on a heavily-loaded webserver. I like the efficiency of the TCP stack. Upon reading the handbook I found that I can have my choice of three firewalls; pf, iptables and ipfw. What would be the most useful (and easiest) package to use given the following scenario: A FreeBSD router comprising of four physical interfaces - Eth0 is the outside 10Mbyte/s cable connection to the Internet. Eth1 is a 100Mbit DMZ housing a webserver. Eth2 is a 100Mb DMZ housing a 802.11g Wireless Access Router. (My normal preference is to isolate Wireless LANs from physical LANS). Eth3 is the inside LAN. Software-based VPN connections out from both the Inside LAN and Wireless DMZ are required. (Allowing VPN tunnels through the firewall; not tunnels terminated at the firewall). Against prudence, they wish to allow torrent connections to the inside lan and ICQ connections to both the Inside LAN and the Wireless DMZ. The torrent and ICQ connections will need to be bandwidth-managed so that is a major consideration for the choice of which firewall to use. Is there an equivalent to HTB on FreeBSD? I look forward to your answers... Regards, Brett. i believe pf is the most modern and cleanest/easiest syntax to use. it is actively developed and lots of people use it. You can set up priority on bandwidth in pf as well, so it should meet all your requirements nicely. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advice on which FreeBSD firewall package to choose.
Le 05/01/2007 à 10:25:30+1300, Brett Davidson a écrit Before I start, I'm familiar with IPTables from Linux but am wanting to use FreeBSD as a firewalling router after seeing it in action on a heavily-loaded webserver. I like the efficiency of the TCP stack. Upon reading the handbook I found that I can have my choice of three firewalls; pf, iptables and ipfw. What would be the most useful (and easiest) package to use given the following scenario: A FreeBSD router comprising of four physical interfaces - Eth0 is the outside 10Mbyte/s cable connection to the Internet. Eth1 is a 100Mbit DMZ housing a webserver. Eth2 is a 100Mb DMZ housing a 802.11g Wireless Access Router. (My normal preference is to isolate Wireless LANs from physical LANS). Eth3 is the inside LAN. Software-based VPN connections out from both the Inside LAN and Wireless DMZ are required. (Allowing VPN tunnels through the firewall; not tunnels terminated at the firewall). Against prudence, they wish to allow torrent connections to the inside lan and ICQ connections to both the Inside LAN and the Wireless DMZ. The torrent and ICQ connections will need to be bandwidth-managed so that is a major consideration for the choice of which firewall to use. Is there an equivalent to HTB on FreeBSD? I look forward to your answers... I've using ipfw and pf for this. If you've some knowlegde on Cisco ACL you can use ipfw (it's first match-use). pf have some very usefull features. With pf it's last match first-use, and it's more easy to add some ACL with pf for a script (like ssh_bruteforce). Regards. -- Albert SHIH Observatoire de Paris Meudon Heure local/Local time: Ven 5 jan 2007 09:08:19 CET ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advice on which FreeBSD firewall package to choose.
Atom Powers wrote: On 1/4/07, Eric [EMAIL PROTECTED] wrote: Brett Davidson wrote: Before I start, I'm familiar with IPTables from Linux but am wanting to use FreeBSD as a firewalling router after seeing it in action on a heavily-loaded webserver. I like the efficiency of the TCP stack. Upon reading the handbook I found that I can have my choice of three firewalls; pf, iptables and ipfw. ... Against prudence, they wish to allow torrent connections to the inside lan and ICQ connections to both the Inside LAN and the Wireless DMZ. The torrent and ICQ connections will need to be bandwidth-managed so that is a major consideration for the choice of which firewall to use. Is there an equivalent to HTB on FreeBSD? i believe pf is the most modern and cleanest/easiest syntax to use. it is actively developed and lots of people use it. You can set up priority on bandwidth in pf as well, so it should meet all your requirements nicely. pf will also do the bandwidth management you want. I've used ipfw, ipf, iptables, and pf; pf is by far the most powerful and easy to use. I also heartily endorse the use of pf. However be aware that if you want to use the QoS and other bandwidth management features you will need to compile yourself a custom kernel with the appropriate ALTQ stuff turned on. Unfortunately ALTQ is not currently available as a loadable module. Compiling a new kernel is not particularly difficult though. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Advice on which FreeBSD firewall package to choose.
It seems is unanimousPF it isremember u have to compile the Kernel to activate this, i´ve done it for the first time, yesterday and its very simplealso checkout the ALTQ for QoS, good luck 2007/1/5, Matthew Seaman [EMAIL PROTECTED]: Atom Powers wrote: On 1/4/07, Eric [EMAIL PROTECTED] wrote: Brett Davidson wrote: Before I start, I'm familiar with IPTables from Linux but am wanting to use FreeBSD as a firewalling router after seeing it in action on a heavily-loaded webserver. I like the efficiency of the TCP stack. Upon reading the handbook I found that I can have my choice of three firewalls; pf, iptables and ipfw. ... Against prudence, they wish to allow torrent connections to the inside lan and ICQ connections to both the Inside LAN and the Wireless DMZ. The torrent and ICQ connections will need to be bandwidth-managed so that is a major consideration for the choice of which firewall to use. Is there an equivalent to HTB on FreeBSD? i believe pf is the most modern and cleanest/easiest syntax to use. it is actively developed and lots of people use it. You can set up priority on bandwidth in pf as well, so it should meet all your requirements nicely. pf will also do the bandwidth management you want. I've used ipfw, ipf, iptables, and pf; pf is by far the most powerful and easy to use. I also heartily endorse the use of pf. However be aware that if you want to use the QoS and other bandwidth management features you will need to compile yourself a custom kernel with the appropriate ALTQ stuff turned on. Unfortunately ALTQ is not currently available as a loadable module. Compiling a new kernel is not particularly difficult though. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advice on which FreeBSD firewall package to choose.
Agus wrote: It seems is unanimousPF it isremember u have to compile the Kernel to activate this, i´ve done it for the first time, yesterday and its very simplealso checkout the ALTQ for QoS, good luck just pf does not require touching the kernel, you can load the module, you just need the rc.conf entries for it ALTQ is another story tho. that needs to be in the kernel. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advice on which FreeBSD firewall package to choose.
On 1/5/07, Agus [EMAIL PROTECTED] wrote: It seems is unanimousPF it isremember u have to compile the Kernel to activate this, i´ve done it for the first time, yesterday and its very simplealso checkout the ALTQ for QoS, good luck Does PF and/or ipfilter have ipv6 support? I'm currently using ipfilter, but a friend went back to ipfw because he has an ipv6 tunnel to protect as well. Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advice on which FreeBSD firewall package to choose.
Michael P. Soulier wrote: On 1/5/07, Agus [EMAIL PROTECTED] wrote: It seems is unanimousPF it isremember u have to compile the Kernel to activate this, i´ve done it for the first time, yesterday and its very simplealso checkout the ALTQ for QoS, good luck Does PF and/or ipfilter have ipv6 support? I'm currently using ipfilter, but a friend went back to ipfw because he has an ipv6 tunnel to protect as well. pf certainly does ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advice on which FreeBSD firewall package to choose.
Brett Davidson wrote: Before I start, I'm familiar with IPTables from Linux but am wanting to use FreeBSD as a firewalling router after seeing it in action on a heavily-loaded webserver. I like the efficiency of the TCP stack. Upon reading the handbook I found that I can have my choice of three firewalls; pf, iptables and ipfw. What would be the most useful (and easiest) package to use given the following scenario: A FreeBSD router comprising of four physical interfaces - Eth0 is the outside 10Mbyte/s cable connection to the Internet. Eth1 is a 100Mbit DMZ housing a webserver. Eth2 is a 100Mb DMZ housing a 802.11g Wireless Access Router. (My normal preference is to isolate Wireless LANs from physical LANS). Eth3 is the inside LAN. Software-based VPN connections out from both the Inside LAN and Wireless DMZ are required. (Allowing VPN tunnels through the firewall; not tunnels terminated at the firewall). Against prudence, they wish to allow torrent connections to the inside lan and ICQ connections to both the Inside LAN and the Wireless DMZ. The torrent and ICQ connections will need to be bandwidth-managed so that is a major consideration for the choice of which firewall to use. Is there an equivalent to HTB on FreeBSD? I look forward to your answers... Regards, Brett. i believe pf is the most modern and cleanest/easiest syntax to use. it is actively developed and lots of people use it. You can set up priority on bandwidth in pf as well, so it should meet all your requirements nicely. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advice on which FreeBSD firewall package to choose.
I can't speak to the advantages or disadvantages of each of those options, but from other lists I get the sense the pf is the best option out there. If you want something quick to setup, pfSense and m0n0wall are prebuilt firewall packages based on FreeBSD that will do exactly what you're looking for. pfSense uses pf and ALTQ, m0n0wall uses ipfw and ipfilter. http://m0n0.ch/wall/ http://www.pfsense.com/ We use redundant 5-port pfSense boxes for our firewall - works quite well. -j On Fri, 2007-01-05 at 10:25 +1300, Brett Davidson wrote: Before I start, I'm familiar with IPTables from Linux but am wanting to use FreeBSD as a firewalling router after seeing it in action on a heavily-loaded webserver. I like the efficiency of the TCP stack. Upon reading the handbook I found that I can have my choice of three firewalls; pf, iptables and ipfw. What would be the most useful (and easiest) package to use given the following scenario: A FreeBSD router comprising of four physical interfaces - Eth0 is the outside 10Mbyte/s cable connection to the Internet. Eth1 is a 100Mbit DMZ housing a webserver. Eth2 is a 100Mb DMZ housing a 802.11g Wireless Access Router. (My normal preference is to isolate Wireless LANs from physical LANS). Eth3 is the inside LAN. Software-based VPN connections out from both the Inside LAN and Wireless DMZ are required. (Allowing VPN tunnels through the firewall; not tunnels terminated at the firewall). Against prudence, they wish to allow torrent connections to the inside lan and ICQ connections to both the Inside LAN and the Wireless DMZ. The torrent and ICQ connections will need to be bandwidth-managed so that is a major consideration for the choice of which firewall to use. Is there an equivalent to HTB on FreeBSD? I look forward to your answers... Regards, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] tradersmedia Jeremy Jongsma Director of Bits Bytes p 312.386.1130 x221 | f 312.386.1263 | c 312.399.4513 e [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Advice on which FreeBSD firewall package to choose.
I have not used iptables or ipfw. But, pf is very easy to use, and has lots of options. I would give it a try. I can send some sample configs if you need. Shane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Davidson Sent: Thursday, January 04, 2007 4:26 PM To: [EMAIL PROTECTED] Subject: Advice on which FreeBSD firewall package to choose. Before I start, I'm familiar with IPTables from Linux but am wanting to use FreeBSD as a firewalling router after seeing it in action on a heavily-loaded webserver. I like the efficiency of the TCP stack. Upon reading the handbook I found that I can have my choice of three firewalls; pf, iptables and ipfw. What would be the most useful (and easiest) package to use given the following scenario: A FreeBSD router comprising of four physical interfaces - Eth0 is the outside 10Mbyte/s cable connection to the Internet. Eth1 is a 100Mbit DMZ housing a webserver. Eth2 is a 100Mb DMZ housing a 802.11g Wireless Access Router. (My normal preference is to isolate Wireless LANs from physical LANS). Eth3 is the inside LAN. Software-based VPN connections out from both the Inside LAN and Wireless DMZ are required. (Allowing VPN tunnels through the firewall; not tunnels terminated at the firewall). Against prudence, they wish to allow torrent connections to the inside lan and ICQ connections to both the Inside LAN and the Wireless DMZ. The torrent and ICQ connections will need to be bandwidth-managed so that is a major consideration for the choice of which firewall to use. Is there an equivalent to HTB on FreeBSD? I look forward to your answers... Regards, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advice on which FreeBSD firewall package to choose.
On 1/4/07, Eric [EMAIL PROTECTED] wrote: Brett Davidson wrote: Before I start, I'm familiar with IPTables from Linux but am wanting to use FreeBSD as a firewalling router after seeing it in action on a heavily-loaded webserver. I like the efficiency of the TCP stack. Upon reading the handbook I found that I can have my choice of three firewalls; pf, iptables and ipfw. ... Against prudence, they wish to allow torrent connections to the inside lan and ICQ connections to both the Inside LAN and the Wireless DMZ. The torrent and ICQ connections will need to be bandwidth-managed so that is a major consideration for the choice of which firewall to use. Is there an equivalent to HTB on FreeBSD? i believe pf is the most modern and cleanest/easiest syntax to use. it is actively developed and lots of people use it. You can set up priority on bandwidth in pf as well, so it should meet all your requirements nicely. pf will also do the bandwidth management you want. I've used ipfw, ipf, iptables, and pf; pf is by far the most powerful and easy to use. -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]