On January 17, 2002 J.Francois wrote: > I feel like I stepped into a vi vs. emacs or csh vs. ksh thread :) Didn't mean to start one of THOSE threads (although we all know that vi and ksh are MUCH better than their counterparts). :) > It really isn't a question of which is better but which you know best. > Your security will be at its peak if you fully understand what tool you > are using. Exactly. I am more familiar with OpenBSD firewalling at this moment. But if there is something about Linux about which I am unfamiliar which would make it worth my while to investigate using it as a firewall, then maybe I would consider making the switch. I wasn't hoping for "Linux is 'better' than OpenBSD," or vice versa. I was just curious what people's opinions were regarding the relative merits of each platform, and what people's personal experiences had been. And I was actually hoping that you, specifically, would chime in since you are one of the few BSD heretics that dares rear his/her head 'round these parts. :) > if you are comfortable with ipfilter(now ipf), changing to ipchains will > mean learning a new syntax. I would do that on an internal system and leave > the battle tested config running until I felt comfortable enuff to switch it out. > I stopped using Linux for firewalling because I got tired of each change > to the firwalling command and syntax and wanted something a little less changeable. Good points. I guess what I'm trying to do is weigh is the advantage of learning a new tool (which, to me, is a benefit in and of itself) against the advantage of sticking with something that I know well enough that it allows me to concentrate on other things (e.g. learning PHP, or trying to decide between Bonds or Griffey for my fantasy baseball team). > I also found that the ipfilter syntax and features just plain rocked. I could not agree more. > I use OpenBSD 2.8 for my firewall and love it. I will be going 3.0 soon. I think that's what I will probably end up doing. After Cox seemed to have finally yanked the plug on me for not using DHCP, I just ran 'dhclient ne0' on my firewall last night, and *BAM*, I was back on the air. For some reason I never had much success using pump or dhcpcd to connect a Linux box to Cox' network, and I was quite pleasantly surprised at how easy it was to get DHCP working with OpenBSD. Unless someone has a testimonial about why Linux makes a killer firewall which is compelling enough to make me switch (I am very intrigued by Tom Achtenberg's e-smith suggestion and will probably play with that), I will probably upgrade to OpenBSD 3.0 in the next couple weeks. > I use started using FreeBSD more in the last year because ipfw can do > Equal Cost Multipath Routing without fiddling with add on tools like iproute > and ipfw kicks ass for simulating WAN testing, dynamic rulesets, and other > cool stuff. > The VPN setup is a breeze with racoon or isakmpd, I can email you the file > I have on connecting to Checkpoint, I think I still have it around somewhere. I would be VERY interested in that. I will try to get that working myself, but it's always nice to have a cheat-sheet against which to do sanity checks. > FWIW, keep OpenBSD and still train yourself on ipchains. > Have a dual boot system so you can try out new rules on both and do a > real comparison of which firewalling setup you are the most comfortble with. > > The BSD Heretic (JLF) Sends... > > My.02 Good ideas, thanks for the input. ~Jeff