Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 11 Dec 2004 12:31:04 -0800
From:      "Loren M. Lang" <lorenl@alzatex.com>
To:        Eric Kjeldergaard <kjelderg@gmail.com>
Cc:        FreeBSD Mailing list <freebsd-questions@freebsd.org>
Subject:   Re: Linux kernel on FreeBSD
Message-ID:  <20041211203104.GC16539@alzatex.com>
In-Reply-To: <d9175cad0412100548643cbbea@mail.gmail.com>
References:  <20041210082138.GF32126@alzatex.com> <d9175cad0412100548643cbbea@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 10, 2004 at 07:48:55AM -0600, Eric Kjeldergaard wrote:
> > Also, I've found the
> > Netfilter firewall in Linux to be, IMHO, a little better designed than
> > ipfilter or ipfw in freebsd, and it definetely has more features than
> > those two freebsd firewalls.
> 
> Which features?  Is there something I'm missing with the firewalls
> available in FreeBSD?

DISCLAIMER: At this time I have had no time to look at pf.

Netfilter seems to have better nat proxy support for protocols like ftp
and h.323.  If you setting incomming ftp connections to an ftp server
behind a nat router on port 21 with state matching, then the ftp proxy
modules will monitor the traffic for passive transfers, modify the
traffic as needed, then add a related connection to the connection
tracking module.  If you allow incoming related connections as well,
which you normally would then your router will support passive transfers
transparently, and securely as well.  Same goes for active ftp client
transfers.  When I was reading about the ftp proxy support in ipfilter,
they stated that you would have to allow a range of ports in for
passive ftp to reach the server, but there was no way of associating the
transfers with the ftp connections allowed in, so it was less secure.

Same with h.323, only different module and different port.  There is
also many other protocols supported as well like TFTP, IRC, RTSP, Quake
3, MMS, Amanda, GRE, RSH, PPTP, CuSeeMe.

Here's an example with netfilter:

# Load proxy handler modules
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

# Enable nat for ftp server port
iptables -t nat -A POSTROUTING -o ${OUT_IF} -j SNAT --to ${ROUTER_OUT_IP}
iptables -t nat -A PREROUTING -i ${OUT_IF} -p tcp --dport 21 -j DNAT \
--to ${FTP_IP}

# Allow access through firewall
iptables -t filter -A FORWARD -s ${IN_NETWORK} -m state --state ESTABLISHED,RELATED,NEW \
-j ACCEPT
iptables -t filter -A FORWARD -d ${IN_NETWORK} -m state --state ESTABLISHED,RELATED \
-j ACCEPT
iptables -t filter -A FORWARD -d ${FTP_IP} -p tcp --dport 21 -m state \
NEW -j ACCEPT

Basically I allow outgoing connection, and NEW incomming connections to
port 21 which is natd to point to the ftp server, and I allow all
incomming ESTABLISH or RELATED connections and that allows the incoming
passive ftp transfers because they are related to another connection,
but random connections to those ports won't work.  The ftp server knows
nothing of this and thinks it's just talking on the internet like a
normal server would.  The same goes in reverse for active ftp clients
behind nat routers.

There is a time match in netfilter which I find very handy when using
firewall rules in combo with traffic control so during the work day, ppl
using P2P software won't be stealing all the bandwidth, but after
midnight, they have free reign.  I have not seen this match in ipfw or
ipfilter.

Also, there are lots of add-ons in the patch-o-matic on netfilters
website like the TCPLAG target which can be used to report lag on tcp
packets.  And also connection marking which I can use to keep track of
connections that match certain conditions, so I can have certain
connection that may trigger a condition with one packet going through,
like an extra large packet, but take action on every packet since then
for that connection.

Now some of this may be done in different ways with BSD firewalls or may
already be supported in pf, but I haven't figured out how to do them
yet.  But the general impression I've got it that netfilter is very well
designed to previous linux firewalls and has a bigger feature list to
the BSD firewalls.  But before netfilter, BSD firewalls were most
definetly far superior, too bad I started using BSD after having lived
through both ipfwadm and ipchains.
> 
> -- 
> If I write a signature, my emails will appear more personalised.
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

-- 
I sense much NT in you.
NT leads to Bluescreen.
Bluescreen leads to downtime.
Downtime leads to suffering.
NT is the path to the darkside.
Powerful Unix is.

Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: B3B9 D669 69C9 09EC 1BCD  835A FAF3 7A46 E4A3 280C
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041211203104.GC16539>