Re: fw on linux and freebsd
socrel: You should be able to find the original post in the arcives, as I
cliped it up some.
--- Daniel Pittman <daniel@rimspace.net> wrote:
> On 1 Jul 2004, Mike Mestnik wrote:
> > --- socrel@gmx.net wrote:
> >>
> >> Looking for considered comparisions of firewalling on Linux and
> FreeBSD.
> >
> > FreeBSD let's you respond to 'blocked' ports in ""exactly"" the same
> way
> > 'closed' ports are. Linux has higher moral standerdes as in the
> > developers refuse to add this feature on there religious grounds.
>
> I am bemused by this claim, since it is untrue to the best of my
> knowledge. Which protocols do you believe are unable to supply a full
> protocol-compliant NAK?
>
> Possibly you mean to say:
>
> Linux does not support generating a protocol "closed port"
> message that appears to originate from a device behind the
> firewall
>
> Otherwise, you can certainly provide the standard protocol NAK response
> for all the widely used protocols, to the best of my knowledge.
>
http://lists.netfilter.org/pipermail/netfilter/2000-May/003863.html
It's a long outstanding feature request "TCP-RST" vs icmp-unreachable.
Taken from: http://www.hmug.org/man/8/ipfw.html
deny Discard packets that match this rule. The search termi-
nates. drop is an alias for deny.
reset TCP packets only. Discard packets that match this rule,
and try to send a TCP reset (RST) notice. The search
terminates.
> >> I am especially interested in learning about ease of connection
> >> tracking
> >
> > There is no *inner workings* documantation on ether side and it's
> > difficult to see how each **workes** for a comparasen.
>
> Both systems are equally capable of "easily" providing an active
> firewall using some form of connection tracking. This can be as trivial
> as a single line in both, as I understand it.
>
I'm not realy sure if this is true of Linux, let me take a stab at it.
iptables -A FORWARD -i $IFACE+ -m state --state\
ESTABLISHED,RELATED -j ACCEPT
In FreeBSD it's something like...
allow tcp from any to $Webserver_A http setup keep-state
I would have to say the latter is much cleaner. The internal workings
also seam tobe better...
On mach a new rule to allow the next pkt in is created(In a kernel prival
table). Maby this is just a psudo rule based on a connection tracking
stuct, like what Linux seams to provide.
This is all conjectour on my part, with out docs it's hard to say.
I just like the religion...
FreeBSD: We skip the whole CT bit and go right on to what is important.
We see X1 the next thing we will see is X2.
Is what we see X2?
Linux: Lookes like alot of state for a simple concept.
We see X1 this socket is now in state Y.
We now see X2, is this valid for state Y?
> >> and of getting packets into user space for analysis via scripts.
> >
> > I think Linux takes this one -hands down-. However I would allways
> > caution, buffer overflows and other security riskes are allways
> > involved.
>
> Depending on the OPs requirements, both platforms support packet capture
> before the firewall, allowing you to bypass the firewall subsystem
> entirely, and (relatively) portably, so you are not (so) tied to your
> initial choice.
>
I think the state Linux provides will be valueble here.
> > Sticking to the OS's own book keeping should be your goal. In Linux
> > this means text files in sudo FS.
>
> I am not at all clear what you mean by as "sudo FS", but iptables
> supports logging rule matches via the kernel log mechanism and, thus,
> through syslog.
>
That's what I'm talking about, reading the state. "sudo FS" == "proc FS".
> It also supports the "userspace log daemon" protocol, allowing
> applications to be sent packets for review and logging. The 'ulogd'
> package supports logging to files and databases out of the box, and
> should be a good basis for adapting a Linux specific packet capture
> solution.
>
Dose FreeBSD have this?
> Daniel
> --
> My definition of an expert in any field is a person who knows enough
> about
> what's really going on to be scared.
> -- P.J. Plauger
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
Reply to: