OpenBSD Packet Filter Ported To NetBSD, FreeBSD

honold writes "just read this on deadly.org (from Pyun YongHyeon): "Hello there. I have ported pf to FreeBSD 5.0 Currently it works well, though many nice features of pf not tested. I have ported to make FreeBSD users know there is an another excellent stateful packet filter with BSD license. URL is the following. ftp://ftp.kr.freebsd.org/pub/FreeBSD-kr/misc/pf_fr eebsd_0.3.tar.bz2 Thanks." netbsd has a port as well Where are you, Linux?"

Re:Question

[overbom]

Yes, they differ in implementation and configurability. FreeBSD's default firewall, ipfw, is pretty easy to set up and configure, and it's pretty powerful. Darren Reed's ipfilter is arcane to set up and insanely powerful. From what I've heard of obsd's pf is that it's pretty easy to set up and insanely powerful.

Most firewalls more or less do the same thing, but the devil is in the details. Some firewalls can do much more than others can, and that's why there are multiple firewalls available. For example, Darren Reed's ipfilter can process packets based on any of the TCP flags in the packet header -- not an option that an entry-level sysadmin wants to have to worry about, although a security expert might be uncomfortable without it.

Most of the firewalls can be set up to do host-based and network-based packet filtering (that's firewalling).

Hope this helps.

Re:Where are you, Linux?

[josepha48]

Hmmmm. ipfw has check-state, setup and established. Yes it does keep track of the state as it does have a state table. To see the state table in ipfw use ipfw -d show. To see the state tables in Linux you can look at the /proc filesystem. Not sure if iptables has an actual option for this. Under one of the /proc directories (can't remember which one) it has the state table of all the connections that the kernel knows about.

Truth is that if you want a secure system shutdown your unused services. Use keywords like setup (ipfw) or NEW (iptables) to keep track of new connections. Log new connections, user -j LOG in iptables, 'log' in ipf and ipfw. Not sure what the syntax is in pf. Lastly use ssh over telnet and ftp and REQUIRE shared keys. Webservers are hard to secure, because of 'stray' or possible badly coded cgi. DNS servers should only be run when necessary, or on the internal lan. Use things like ipsec w/ racoon to secure systems so that connection traffic can be encrypted.