firewall on FreeBSD
pauls at utdallas.edu
Sat Jun 25 03:39:06 GMT 2005
--On June 24, 2005 5:31:13 PM +0100 martin at orbweavers.co.uk wrote:
> On Friday 24 June 2005 15:31, fbsd_user wrote:
>> Which firewall you select to use should be based on your level of
>> understanding of how information is moved across the internet.
>> Ipfilter is best suited for people who are just learning about
>> firewalling. PF is a little more automated and the rules are very
>> close to IPF's.
>> IPFW is for the advanced firewall users who have expert
>> understanding of the internet. All 3 firewalls support stateful
>> rules and are available in the 5.4 release. Best advice is start
>> with Ipfilter and when you find out that you have needs which are
>> not met by Ipfilter then move over to IPFW.
> Is this right?
If it is, then I'm a lot smarter than I give myself credit for. The first
firewall I ever used was ipchains. The I used iptables, but I never
learned much about either because Linux obscures the config (unless you're
doing something "fancy", you can run "setup" on the cli, click a few check
boxes and you're done.
When I decided to switch a server over to FBSD, I had to read the man page
to understand how pf worked, because there *was* no "setup" to run. I've
been using pf for a few years now, and I've never had problems
understanding the syntax or how it works (but I also never do NAT, so that
might be the reason it seems easy to me.)
I started off using IPFW, and found it no harder or easier
> than ipfilter, which I am using now. Can't remember the reason I changed
> to ipfilter, think it might have something to do with being easier to
> use with ipnat, but I am pretty happy with it. Is there anything that
> ipfw does better than ipfilter to make it preferable?
The only thing I would say about firewalls is, know what you're doing and
do it at the console. There's nothing like having to get dressed and drive
40 miles to fix a box because you screwed up the firewall config will
working remotely to impress upon you the need to work at the console. :-)
Personally, I like the "quick" keyword of the OpenBSD firewall, (but not
enough to bother installing it.)
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
More information about the freebsd-questions