standalone firewall - Linux VS BSD firewalls

plug@arcticmail.com plug@arcticmail.com
Fri, 12 Jan 2001 09:49:37 -0700 

I don't know about using NetBSD for a secure/firewall system,
but OpenBSD's current claim to fame is "three years without
a remote exploit in the default install."

I would go to OpenBSD's website and read the links on security
and crypto.  One of the things that the OpenBSD team has done
is review ALL of the BSD source code, line-by-line, looking for
potential security issues (like buffer overruns), and fixing
them, even if a way to exploit the bug wasn't obvious at the
time.

Another plus for *BSD is that they have one of the best TCP/IP
stacks around.  This is interesting because I helped a friend
set up an OpenBSD firewall for his Cox cable modem connection
and he asked if there was going to be a performance hit (versus
having his Windows box connected directly to the cable modem).
I told him that if there were, it should be minimal.  Anyway,
I asked him about it a few days later, and he SWORE that his
connection was actually FASTER with the OpenBSD firewall in
place.  The only explanation that I could think of was that
the Windows networking code must be optimized for fast, low-
latency LAN networks.

Finally, I've done NAT and firewall stuff in Linux with ipchains.
IMHO, NAT and firewall stuff in OpenBSD using ipfilter is *MUCH*
more straightforward and easier to understand.


D

* On Thu, Jan 11, 2001 at 07:11:33AM +0800, P-K  wrote:
> I have often wondered about this. I should just dig in and install a bsd box just to check it out. 
> 
> But what are the advantages that Open or Net BSD have over linux when talking about security and firewalls? I have heard this time and again and I am just currious as to the facts of the matter. 
>  
> JLF I know you use BSD what do you think?
> 
> Thanks 
> 
> P-K
> 
> -----Original Message-----
> From: "Furmanek, Greg" <Greg.Furmanek@hit.cendant.com>
> Date: Wed, 10 Jan 2001 10:27:04 -0500
> To: "'plug-discuss@lists.PLUG.phoenix.az.us'" <plug-discuss@lists.PLUG.phoenix.az.us>
> Subject: RE: standalone firewall
> 
> 
> > From my experience to this day and reading a lot of docs I
> > still think that OpenBSD firewall is better than Linux 2.2.x
> > based.  One very good thing about OpenBSD is the fact that
> > the os is shipped with encryption.  If you use it as 
> > firewall/router this may come handy for remote access.
> > 
> > Another option I was looking at is using 2.4 kernel but it is
> > really fresh so I am going to wait for some updates and see what
> > the distribution vendors going to do.  Another interesting 
> > addition to using Linux as firewall is RSBAC which makes the 
> > box really tight.  
> > 
> > I guess you just need to read a lot of docs on-line and decide 
> > what you want to do.
> > 
> > 
> > 
> > 
> > 
> > -> -----Original Message-----
> > -> From: John W [mailto:wisdom04@home.com]
> > -> Sent: Tuesday, January 09, 2001 9:53 PM
> > -> To: plug-discuss@lists.PLUG.phoenix.az.us
> > -> Subject: standalone firewall
> > -> 
> > -> 
> > ->  I'd like to open by saying thank you to those who helped me 
> > -> with the CDRW 
> > -> issue and say that all is well. Thanks again. I am looking 
> > -> into setting up an 
> > -> old box as a firewall for a Linux box and one windows box. I 
> > -> have looked into 
> > -> the Linuxrouter project and what I found seems to be rather 
> > -> dated. I have at 
> > -> my disposal Linux Mandrake 7.2, RH 6.2&7.0, Debian 2.2 
> > -> Potato, FreeBSD 4.1 
> > -> and Storm Hail release. Would any of these suit my needs or 
> > -> might their be 
> > -> something specialized for this purpose. I am a newbie so 
> > -> user friendliness 
> > -> would be nice as well. I have no problems RTFM's to achieve 
> > -> what I am after.
> > -> All help appreciated!
> > -> -- 
> > -> John Wheat
> > -> 
> > -> ________________________________________________
> > -> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your 
> > -> mail doesn't post to the list quickly and you use Netscape 
> > -> to write mail.
> > -> 
> > -> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> > -> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > -> 
> > 
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > 
> > Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > 
> > 
> -- 
> Get your free email from www.linuxmail.org 
> 
> 
> Powered by Outblaze
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>