[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fw on linux and freebsd

socrel: You should be able to find the original post in the arcives, as I
cliped it up some.

--- Daniel Pittman <daniel@rimspace.net> wrote:
> On 1 Jul 2004, Mike Mestnik wrote:
> > --- socrel@gmx.net wrote:
> >>
> >> Looking for considered comparisions of firewalling on Linux and
> FreeBSD.
> >
> > FreeBSD let's you respond to 'blocked' ports in ""exactly"" the same
> way
> > 'closed' ports are.  Linux has higher moral standerdes as in the
> > developers refuse to add this feature on there religious grounds.
> 
> I am bemused by this claim, since it is untrue to the best of my
> knowledge. Which protocols do you believe are unable to supply a full
> protocol-compliant NAK?
> 
> Possibly you mean to say:
> 
>     Linux does not support generating a protocol "closed port"
>     message that appears to originate from a device behind the
>     firewall
> 
> Otherwise, you can certainly provide the standard protocol NAK response
> for all the widely used protocols, to the best of my knowledge.
> 
http://lists.netfilter.org/pipermail/netfilter/2000-May/003863.html
It's a long outstanding feature request "TCP-RST" vs icmp-unreachable.

Taken from: http://www.hmug.org/man/8/ipfw.html
deny    Discard packets that match this rule.  The search termi-
		     nates.  drop is an alias for deny.

reset   TCP packets only.	Discard packets that match this rule,
     and try to send a TCP reset (RST) notice.	The search
     terminates.

> >> I am especially interested in learning about ease of connection
> >> tracking
> >
> > There is no *inner workings* documantation on ether side and it's
> > difficult to see how each **workes** for a comparasen.
> 
> Both systems are equally capable of "easily" providing an active
> firewall using some form of connection tracking. This can be as trivial
> as a single line in both, as I understand it.
> 
I'm not realy sure if this is true of Linux, let me take a stab at it.
        iptables -A FORWARD -i $IFACE+ -m state --state\
                ESTABLISHED,RELATED -j ACCEPT

In FreeBSD it's something like...
allow tcp from any to $Webserver_A http setup keep-state

I would have to say the latter is much cleaner.  The internal workings
also seam tobe better...
On mach a new rule to allow the next pkt in is created(In a kernel prival
table).  Maby this is just a psudo rule based on a connection tracking
stuct, like what Linux seams to provide.

This is all conjectour on my part, with out docs it's hard to say.

I just like the religion...
FreeBSD: We skip the whole CT bit and go right on to what is important.
We see X1 the next thing we will see is X2.
Is what we see X2?

Linux: Lookes like alot of state for a simple concept.
We see X1 this socket is now in state Y.
We now see X2, is this valid for state Y?

> >> and of getting packets into user space for analysis via scripts.
> >
> > I think Linux takes this one -hands down-.  However I would allways
> > caution, buffer overflows and other security riskes are allways
> > involved.
> 
> Depending on the OPs requirements, both platforms support packet capture
> before the firewall, allowing you to bypass the firewall subsystem
> entirely, and (relatively) portably, so you are not (so) tied to your
> initial choice.
> 
I think the state Linux provides will be valueble here.

> > Sticking to the OS's own book keeping should be your goal. In Linux
> > this means text files in sudo FS. 
> 
> I am not at all clear what you mean by as "sudo FS", but iptables
> supports logging rule matches via the kernel log mechanism and, thus,
> through syslog.
> 
That's what I'm talking about, reading the state.  "sudo FS" == "proc FS".

> It also supports the "userspace log daemon" protocol, allowing
> applications to be sent packets for review and logging. The 'ulogd'
> package supports logging to files and databases out of the box, and
> should be a good basis for adapting a Linux specific packet capture
> solution.
> 
Dose FreeBSD have this?

>         Daniel
> -- 
> My definition of an expert in any field is a person who knows enough
> about
> what's really going on to be scared.
>         -- P.J. Plauger



	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
Reply to: