Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 5 Jan 2007 09:11:22 +0100
From:      Albert Shih <Albert.Shih@obspm.fr>
To:        Brett Davidson <brett@net24.co.nz>
Cc:        questions@freebsd.org
Subject:   Re: Advice on which FreeBSD firewall package to choose.
Message-ID:  <20070105081122.GC8555@pcjas.obspm.fr>
In-Reply-To: <60224D09909C0B43A50935A0893D8FF31DA2DC@srv.exchange.net24.net.nz>
References:  <60224D09909C0B43A50935A0893D8FF31DA2DC@srv.exchange.net24.net.nz>
next in thread | previous in thread | raw e-mail | index | archive | help 
 Le 05/01/2007 à 10:25:30+1300, Brett Davidson a écrit
> Before I start, I'm familiar with IPTables from Linux but am wanting to
> use FreeBSD as a firewalling router after seeing it in action on a
> heavily-loaded webserver. I like the efficiency of the TCP stack.
> 
> Upon reading the handbook I found that I can have my choice of three
> firewalls; pf, iptables and ipfw.
> 
> What would be the most useful (and easiest) package to use given the
> following scenario:
> 
> A FreeBSD router comprising of four physical interfaces -
> 	Eth0 is the outside 10Mbyte/s cable connection to the Internet.
> 	Eth1 is a 100Mbit DMZ housing a webserver.
> 	Eth2 is a 100Mb DMZ housing a 802.11g Wireless Access Router. 
> 	(My normal preference is to isolate Wireless LANs from physical
> LANS).
> 	Eth3 is the inside LAN. 
> 
> Software-based VPN connections out from both the Inside LAN and Wireless
> DMZ are required. (Allowing VPN tunnels through the firewall; not
> tunnels terminated at the firewall).
> 
> Against prudence, they wish to allow torrent connections to the inside
> lan and ICQ connections to both the Inside LAN and the Wireless DMZ. The
> torrent and ICQ connections will need to be bandwidth-managed so that is
> a major consideration for the choice of which firewall to use. Is there
> an equivalent to HTB on FreeBSD?
> 
> I look forward to your answers...
> 
I've using ipfw and pf for this.

If you've some knowlegde on Cisco ACL you can use ipfw (it's first
match-use). 

pf have some very usefull features. With pf it's last match first-use, and
it's more easy to add some ACL with pf for a script (like ssh_bruteforce).

Regards.


--
Albert SHIH
Observatoire de Paris Meudon
Heure local/Local time:
Ven 5 jan 2007 09:08:19 CET

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070105081122.GC8555>