Choosing a BSD Firewall 15
Anonymous Coward writes "Jim O'Gorman has an article at bsdtoday.com about choosing an OS for a firewall project. While OpenBSD has a lot of followers, find out why Jim chose FreeBSD instead."
"Hello again, Peabody here..." -- Mister Peabody
choosing the right OS (Score:2)
What seemed most important to me in this article was not the question FreeBSD vs. OpenBSD but: "Don't view OS's as a religion, because they are only tools. Nothing more. Use the best one for a given job and let it stay at that. [...]"
Whereas hardly any Windows-user really identifies with his OS, many U*IX-users tend to do so. (Hell, I also often do so... ;-)
This does not only increase the os-for-computer-nerds image, it may also make some gurus blind for problems of their OS where another OS already offers a good solution (that might be integrated easily).
So I was quite happy to read in this article that O'Gorman used a very conservative approach to choose the os that best meets his needs. If he had also considered Linux he would have made my day... ;-)
also check out the comments following the article (Score:1)
OpenBSD discussion (Score:3)
Re:choosing the right OS (Score:1)
Re:choosing the right OS (Score:1)
1. I know slack better than any other distro of linux
2. You usually don't get the latest and greatest as quick so things can be tested better.
I also use OpenBSD and FreeBSD ( Usually OpenBSD because, again, I know it better ). I've been using Linux for about 4.5 years and BSDs for about 2. I don't see how you can say BSD is tougher than Linux as a blanket statement.
Can someone tell me why "Linux simply doesn't cut it when it comes to security and servers in general" as stated by the coward?
Thanks
Re:OpenBSD discussion (Score:1)
Just my
Re:choosing the right OS (Score:2)
I think for most practical purposes the big issue in firewalls is configuration (or lack of) and user stupidity (if users have remote access without hardware authentication then assume the bad guys do too). Add to that an eggshell mentality (hard wall soft middle) and you have a recipie for bad security. If you are a real badguy (as opposed to a script kiddie) social engineering beats software attacks by a wide margin.
Re:choosing the right OS (Score:2)
I think I understand computer security fairly well. While I would not run Slackware as a firewall for a large site it does a great job on small/medium sites when cost is a factor and I think you would have a tough time showing me that FreeBSD is more secure than Linux if both are configured properly.
I also use a PIX or other device when setting up a firewall for a large network.
Please show me how well you understand computer security by showing examples instead of using broad claims. I could very well be wrong, what I'm looking for is a little insite as to WHY.
Re:OpenBSD discussion (Score:1)
statefull filters? (Score:1)
And yes, I have ordered the O'Reilly book on Firewalls, but I'm waiting for the next version to come out (June 5th?).
ipf on freebsd (Score:1)
Re:statefull filters? (Score:3)
From the IP Filter site here [anu.edu.au]:
This sort of thing is also possible using the ipfw facility in FreeBSD:
Regarding Linux, it can kind of do that sort of thing currently, but only if you use IP Masquerading in conjunction with your firewalling. The idea there is that the only way to get a TCP packet past your Masquerading proxy is for it to be in response to a packet generated from inside your network. Of course, since you'd be doing many-to-one NAT in that scenario, the usual complications apply eg., since there is only 1 externally visible IP, you can't choose to allow specific incoming ports for multiple clients.
From what I understand, netfilter, which will be available in a stable release as of Linux 2.4.x, will make a more elegant method of doing this possible.
Re:statefull filters? (Score:1)
Basically, I found that ipfw wasn't able to reliably keep state on a lot of traffic which it had to pass out a NAT _after_ passing the natd running on the ipfw machine.
It also had problems with ftp connections-- maybe I just didn't find the corresponding facility in ipfw/natd, but ipf has an excellent ftp 'proxying' mechanism which will not just keep state on two-way tcp/udp connections, but also keep track of the return ftp data connections.
Re:statefull filters? (Score:1)
Are you running FTP in passive mode? Since it's return port is otherwise random, NAT does'nt know what to do with the remote response, so the connection is not made.
Re:A couple of questions (Score:1)