Date: Mon, 21 Aug 1995 10:35:39 +0800 (HKT) From: "Raju M. Daryanani" <raju@rssd.hk.olivetti.com> To: dennis@et.htp.com (dennis) Cc: gryphon@healer.com, hackers@freebsd.org Subject: Re: Internet In A Box Message-ID: <199508210244.AA13494@hk.super.net> In-Reply-To: <199508202319.TAA05069@mail.htp.com> from "dennis" at Aug 20, 95 07:19:11 pm
next in thread | previous in thread | raw e-mail | index | archive | help
According to dennis: > screend sucks. Try something else. Such as? I'm in the process of setting up a FreeBSD box as a firewall, and at the moment I've got both screend and the ipfirewall facility compiled in. The main problem I have with ipfirewall is that it sorts the firewall rules in ascending order of coverage size. I'd hate to find I've got a big hole because I miscalculated the order in which the rules are going to be evaluated. Also it is all or nothing in deciding which ICMP packets you want to forward, meaning I can't set policy on which ones I want to allow in and which ones I want to reject. The good thing about screend is that it evaluates the rules in the order that you issue them, making it easier to check the correctness. The problem I've got with it is that it doesn't allow you to screen out incoming TCP SYN packets. That will force me to close out some ports on which I would like to allow outgoing connections. It also doesn't allow me to protect the machine it's running on, since it only works on packets that it is gating between networks. As a result I've got to use ipfirewall to protect the FreeBSD router, and that means duplicated rules, which needlessly complicates things and creates two things I need to keep an eye on. Performance is not a problem for me at the moment because the firewall is only guarding a 14.4Kbps net connection, and the 386DX/25 it runs on is idle for 98% of its time. If there's something better that allows more control I'd like to know about it. Raju -- Raju M. Daryanani | Email: raju@rssd.hk.olivetti.com Technical Support Manager | raju@hk.super.net, raju@air.org Products Division | Tel: +852 2979 2450 / Fax: +852 2802 6650 Olivetti (HK) Ltd. | [Finger for PGP key] [MIME understood]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199508210244.AA13494>