Date: Wed, 2 May 2001 10:20:00 -0500 (CDT) From: Phil Brutsche <pbrutsch@tux.creighton.edu> To: Rob <rob@robhulme.com> Cc: <questions@freebsd.org> Subject: Re: IPFW versus Hardware firewalls Message-ID: <Pine.LNX.4.33.0105021008570.14372-100000@tux.creighton.edu> In-Reply-To: <LPBBLIHFHEKDFLJEBFJGKEJKDCAA.rob@robhulme.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A long time ago, in a galaxy far, far way, someone said...
> I regularly administer some FreeBSD servers, and more recently (as
> specified in another email) I will be required to implement several
> firewalls.
>
> From what I 'hear' everyone seems to go the hardware based firewall
> route - with Cisco having the most well respected name (at least for
> marketing purposes).
>
> I like BSD, I have been very impressed with the stability and security
> of the system. We don't generally see NT boxes on our network with
> >100 days uptime, but this seems to be quite common with BSD. I would
> be interested in looking into using FreeBSD with IPFW for our
> firewalls - but I am interested in your opinions.
>
> What are the advantages of using IPFW over say Cisco's products? What
> are the disadvantages?
In terms of simple filtering, they're about equal. What Cisco has over
any other free unix-type system (except Linux) is the ability to do policy
routing (to my knowledge, at least. Feel free to enlighten me :) ).
Policy routing is where you make a routing decision based not only on what
host it's going to, but also the ToS bits in the TCP header, the source
IP, the source port number, the destination port number, the IP protocol
(ie tcp, udp, gre, etc), or anything else you can think of in the packet.
Or any combination of the above.
If you look around, all 5 (Cisco, Linux, {Free|Net|Open}BSD) can all do
quality of service on the network connection.
One of the things you need to watch out for is support issues - Cisco
dudes who can take care of a PIX are a dime a dozen (basically), but if
something should happen to you, and the firewalls need work and your
"replacement" (for lack of a better term) isn't up to speed on
firewalls...
> What experiences have you had of using either?
I've had no experience with ipfw in a firewalling situation (I'm more
familiar with ipfilter).
If all you need is a basic firewall (no QoS or policy routing) then
FreeBSD will meet your needs fairly well.
> Are there any comparisons on the net?
None that I'm aware of. I haven't exactly been looking, either :)
- --
- ----------------------------------------------------------------------
Phil Brutsche pbrutsch@tux.creighton.edu
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE68CWi/ZTSZFDeHPwRAmvdAKDPHYwzEtXRNPwGVGeNEXj6JH8q0gCgy9kf
ktM9khGHw+gkG2KNImCuFpM=
=v30q
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33.0105021008570.14372-100000>