Date: Wed, 2 May 2001 10:20:00 -0500 (CDT) From: Phil Brutsche <pbrutsch@tux.creighton.edu> To: Rob <rob@robhulme.com> Cc: <questions@freebsd.org> Subject: Re: IPFW versus Hardware firewalls Message-ID: <Pine.LNX.4.33.0105021008570.14372-100000@tux.creighton.edu> In-Reply-To: <LPBBLIHFHEKDFLJEBFJGKEJKDCAA.rob@robhulme.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... > I regularly administer some FreeBSD servers, and more recently (as > specified in another email) I will be required to implement several > firewalls. > > From what I 'hear' everyone seems to go the hardware based firewall > route - with Cisco having the most well respected name (at least for > marketing purposes). > > I like BSD, I have been very impressed with the stability and security > of the system. We don't generally see NT boxes on our network with > >100 days uptime, but this seems to be quite common with BSD. I would > be interested in looking into using FreeBSD with IPFW for our > firewalls - but I am interested in your opinions. > > What are the advantages of using IPFW over say Cisco's products? What > are the disadvantages? In terms of simple filtering, they're about equal. What Cisco has over any other free unix-type system (except Linux) is the ability to do policy routing (to my knowledge, at least. Feel free to enlighten me :) ). Policy routing is where you make a routing decision based not only on what host it's going to, but also the ToS bits in the TCP header, the source IP, the source port number, the destination port number, the IP protocol (ie tcp, udp, gre, etc), or anything else you can think of in the packet. Or any combination of the above. If you look around, all 5 (Cisco, Linux, {Free|Net|Open}BSD) can all do quality of service on the network connection. One of the things you need to watch out for is support issues - Cisco dudes who can take care of a PIX are a dime a dozen (basically), but if something should happen to you, and the firewalls need work and your "replacement" (for lack of a better term) isn't up to speed on firewalls... > What experiences have you had of using either? I've had no experience with ipfw in a firewalling situation (I'm more familiar with ipfilter). If all you need is a basic firewall (no QoS or policy routing) then FreeBSD will meet your needs fairly well. > Are there any comparisons on the net? None that I'm aware of. I haven't exactly been looking, either :) - -- - ---------------------------------------------------------------------- Phil Brutsche pbrutsch@tux.creighton.edu GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE68CWi/ZTSZFDeHPwRAmvdAKDPHYwzEtXRNPwGVGeNEXj6JH8q0gCgy9kf ktM9khGHw+gkG2KNImCuFpM= =v30q -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33.0105021008570.14372-100000>