OpenBSD or Linux Firewall?
Gilbert T. Gutierrez, Jr.
plug-discuss@lists.plug.mybutt.net
Fri, 18 Jan 2002 09:53:37 -0700
With the new release of OpenBSD (3.0) didn't they change the
firewalling? I don't believe they are still using IPF. Upgrading to the
new version of OpenBSD may be the same hassle as switching to Linux.
Gilbert
At 06:06 PM 1/17/2002 -0700, you wrote:
>I feel like I stepped into a vi vs. emacs or csh vs. ksh thread :)
>
>It really isn't a question of which is better but which you know best.
>Your security will be at its peak if you fully understand what tool you
>are using.
>if you are comfortable with ipfilter(now ipf), changing to ipchains will
>mean learning
>a new syntax. I would do that on an internal system and leave the battle
>tested
>config running until I felt comfortable enuff to switch it out.
>I stopped using Linux for firewalling because I got tired of each change
>to the
>firwalling command and syntax and wanted something a little less changeable.
>I also found that the ipfilter syntax and features just plain rocked.
>
>I use OpenBSD 2.8 for my firewall and love it. I will be going 3.0 soon.
>I use started using FreeBSD more in the last year because ipfw can do
>Equal Cost Multipath Routing without fiddling with add on tools like iproute
>and ipfw kicks ass for simulating WAN testing, dynamic rulesets, and other
>cool stuff.
>The VPN setup is a breeze with racoon or isakmpd, I can email you the file
>I have
>on connecting to Checkpoint, I think I still have it around somewhere.
>
>FWIW, keep OpenBSD and still train yourself on ipchains.
>Have a dual boot system so you can try out new rules on both and do a
>real comparison of which firewalling setup you are the most comfortble with.
>
>The BSD Heretic (JLF) Sends...
>
>My.02
>
>On Mon, Jan 14, 2002 at 12:15:18PM -0700, Jeffrey Pyne wrote:
> > I got Cox' conversion kit in the mail this weekend, so I guess I need
> to switch over to their new "hi-speed" service. While I'm switching, I
> thought I might as well upgrade my firewall. I'm currently using OpenBSD
> 2.6, and this baby has been running trouble-free for 2 1/2 years (not
> including a couple power outages). I've been thinking about switching to
> Linux, since iptables now offers "stateful" firewalling (the lack of that
> functionality in ipchains led me to go with OpenBSD way back when). My
> requirements are as follows:
> >
> > 1) Must be able to handle DHCP since Cox.net apparently won't offer any
> static IP addresses (*sniff*)-- not just in terms of getting an IP
> address, but also in terms of the firewalling
> > 2) Must be able to establish a VPN tunnel to a Checkpoint firewall-- I
> know Linux can do it with FreeS/WAN, and a quick search of Google leads
> me to believe OpenBSD can handle it as well
> > 3) Must be able to "redirect" incoming traffic to other IP
> addresses/ports on the internal LAN- OpenBSD does that beautifully, and I
> imagine iptables does that now, too.
> > 4) Must be able to NAT the internal LAN for outbound traffic- should be
> a no-brainer for both Linux and OpenBSD
> > 5) Must be as rock-solid as my OpenBSD firewall has proven to be over
> the years
> >
> > So, would anyone care to offer their input about whether I should
> upgrade to OpenBSD 3.0 or move to a Linux platform? Any caveats,
> gotchas, or bugaboos? Any particular strengths or weaknesses RE: any of
> my requirements? Anyone ever set up a VPN tunnel to a Checkpoint
> firewall who would like to share any insight or experiences? Anybody
> else made the switch over to Cox.net and have anything to say (I noticed
> on there web page that their DHCP leases expire every 4 hours)? Any
> particularly good documentation that you might like to share? I am very
> intrigued by some of the floppy-based Linii, but I'm really interested
> more in whether the solution can handle the above requirements than how
> much space the installation requires.
> >
> > Thanks in advance,
> >
> > ~Jeff
>--
>Jean Francois - JLF Sends...
>"Tell them we are not Gods, but SysAdmins, which is the next best thing."
>
>________________________________________________
>See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
>post to the list quickly and you use Netscape to write mail.
>
>PLUG-discuss mailing list - PLUG-discuss@lists.plug.mybutt.net
>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss