Date: Mon, 10 Jun 1996 21:37:02 -0400 (EDT) From: Brian Clapper <bmc@WillsCreek.COM> To: FreeBSD matters of Mark Huizer (xaa) <freebsd@xaa.stack.urc.tue.nl> Cc: questions@freebsd.org Subject: Re: firewalls in FBSD, how good are they? Message-ID: <199606110137.VAA00337@willow.willscreek.com> In-Reply-To: <91702035@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Mark Huizer" <freebsd@xaa.stack.urc.tue.nl>
Mark> What I'd like to know: I've never really used and trusted upon the
Mark> FreeBSD ipfw stuff. Could anyone give me a little story on their
Mark> experiences, whether one can hang their pacemaker on it safely etc :)
If all you use is a FreeBSD (or Linux) box with an ipfw module, then you're
implementing a packet-filtering gateway--a truly minimalist firewall.
It'll provide you *some* protection (i.e., more than just hanging your
network naked on the Internet), but if that's all you deploy as your
firewall, you're toast if that machine is compromised. That risk may be
acceptable for your site; it certainly wasn't (and isn't) for ours, though.
And I sure wouldn't hang a pacemaker (or credit-card transaction processing
software) off the back end of that sort of firewall.
You'd do well to read one or both of the following books, so you can
recommend an appropriate solution to your management.
1. Building Internet Firewalls. By Brent Chapman and Elizabeth
Zwicky (O'Reilly and Associates, 1995).
http://www.ora.com/www/item/fire.html
2. Firewalls & Internet Security: Repelling the Wily Hacker.
by William R. Cheswick and Steven M. Bellovin (Addison-Wesley, 1994)
http://www.aw.com/cp/Ches.html
-----
Brian Clapper ....................... bmc@WillsCreek.COM -or- bmc@telebase.com
http://www.netaxs.com/~bmc/ ......... PGP public key available on request
If people were required to know the law rather than obey it, the government
would be overthrown the very next day.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606110137.VAA00337>