Fwd: Q: case studies about scalable,
enterprise-class firewall w/ IPFilter
Tim Clewlow
tim at clewlow.org
Tue Aug 5 09:26:41 UTC 2008
>
> Hello,
>
> I've posted the attached mail in the IP Filter mailing list; the
> only
> responses have been bad configured vacation replies :-(
>
> someone from freebsd-hackers has an idea? thanks in advance
>
> matthias
>
> ----- Forwarded message from Matthias Apitz <guru at UnixArea.de> -----
>
> From: Matthias Apitz <guru at UnixArea.de>
> Date: Sun, 3 Aug 2008 08:24:15 +0200
> To: IP Filter <ipfilter at coombs.anu.edu.au>
> Subject: Q: case studies about scalable, enterprise-class firewall
> w/ IPFilter
>
>
> Hello,
>
> We're currently protecting our network (and as well some FreeBSD
> laptops
> standalone) with IPFilter... I'm wondering if there are any case
> studies
> about scalable, enterprise-class firewall solutions, redundancy with
> state-full failover, and application-level inspection, and all that
> a
> like, based on IPFilter and FreeBSD;
>
> thanks in advance for any pointers
>
> matthias
> --
Hi there, I have never used ipfilter, but I do use pf, and it can do
state-full failover, or firewall redundancy, with CARP (the Common
Address Redundancy Protocol) and pfsync. If there is an equivalent
syncing program, eg ipfiltersync then you could use that with CARP
to allow an ipfilter firewall to fail-over with full state tables
intact.
Also, you can inspect all manner of status info and tables for a
running firewall with pfctl, there must be an equivalent for
ipfilter.
If you are looking for general info about building a firewall, eg
tcp and ip headers, plus icmp and voip and other protocols, then I
would recommend the following tutorial, it has a huge amount of
information - it is a lot more than just a tutorial on iptables.
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Lastly, the "OpenBSD PF Packet Filter Book" has been very useful for
me, but I use pf where possible - I think it is the easiest, and
paradoxically the most powerful of all packet filters, but that is
my personal opinion, YMMV.
Cheers, Tim.
More information about the freebsd-hackers
mailing list