Re: fw on linux and freebsd

To: debian-firewall@lists.debian.org
Subject: Re: fw on linux and freebsd
From: Daniel Pittman <daniel@rimspace.net>
Date: Fri, 02 Jul 2004 17:10:04 +1000
Message-id: <[🔎] 87u0wqdgvn.fsf@enki.rimspace.net>
References: <20040630_174559_070248.socrel@gmx.net> <20040701013022.91962.qmail@web11906.mail.yahoo.com>

On 1 Jul 2004, Mike Mestnik wrote:
> --- socrel@gmx.net wrote:
>>
>> Looking for considered comparisions of firewalling on Linux and FreeBSD.
>
> FreeBSD let's you respond to 'blocked' ports in ""exactly"" the same way
> 'closed' ports are.  Linux has higher moral standerdes as in the
> developers refuse to add this feature on there religious grounds.

I am bemused by this claim, since it is untrue to the best of my
knowledge. Which protocols do you believe are unable to supply a full
protocol-compliant NAK?

Possibly you mean to say:

    Linux does not support generating a protocol "closed port"
    message that appears to originate from a device behind the
    firewall

Otherwise, you can certainly provide the standard protocol NAK response
for all the widely used protocols, to the best of my knowledge.

> FreeBSD's config files are 'optimized' according to the rules of there
> relegioun.  Which makes them cryptic(backwards) for the rest of us. 
> However CT is not automatic, but the accepting of related/established
> packet's is manditory.

I can't say, frankly, that the raw iptables rules are much easier to
work with. :)

I strongly recommend using a "compiler" to generate the low level
firewall rules from a high level language. These are available for both
platforms being discussed.

>> I am especially interested in learning about ease of connection
>> tracking
>
> There is no *inner workings* documantation on ether side and it's
> difficult to see how each **workes** for a comparasen.

Both systems are equally capable of "easily" providing an active
firewall using some form of connection tracking. This can be as trivial
as a single line in both, as I understand it.

>> and of getting packets into user space for analysis via scripts.
>
> I think Linux takes this one -hands down-.  However I would allways
> caution, buffer overflows and other security riskes are allways
> involved.

Depending on the OPs requirements, both platforms support packet capture
before the firewall, allowing you to bypass the firewall subsystem
entirely, and (relatively) portably, so you are not (so) tied to your
initial choice.

> Sticking to the OS's own book keeping should be your goal. In Linux
> this means text files in sudo FS. 

I am not at all clear what you mean by as "sudo FS", but iptables
supports logging rule matches via the kernel log mechanism and, thus,
through syslog.

It also supports the "userspace log daemon" protocol, allowing
applications to be sent packets for review and logging. The 'ulogd'
package supports logging to files and databases out of the box, and
should be a good basis for adapting a Linux specific packet capture
solution.

        Daniel
-- 
My definition of an expert in any field is a person who knows enough about
what's really going on to be scared.
        -- P.J. Plauger

Reply to:

Follow-Ups:
- Re: fw on linux and freebsd
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: Re: fw on linux and freebsd
Next by Date: Re: fw on linux and freebsd
Previous by thread: Re: fw on linux and freebsd
Next by thread: Re: fw on linux and freebsd
Index(es):
- Date
- Thread