OpenBSD or Linux Firewall?

Gilbert T. Gutierrez, Jr. plug-discuss@lists.plug.mybutt.net
Fri, 18 Jan 2002 09:53:37 -0700


With the new release of OpenBSD (3.0) didn't they change the 
firewalling?  I don't believe they are still using IPF.  Upgrading to the 
new version of OpenBSD may be the same hassle as switching to Linux.

Gilbert

At 06:06 PM 1/17/2002 -0700, you wrote:

>I feel like I stepped into a vi vs. emacs or csh vs. ksh thread :)
>
>It really isn't a question of which is better but which you know best.
>Your security will be at its peak if you fully understand what tool you 
>are using.
>if you are comfortable with ipfilter(now ipf), changing to ipchains will 
>mean learning
>a new syntax. I would do that on an internal system and leave the battle 
>tested
>config running until I felt comfortable enuff to switch it out.
>I stopped using Linux for firewalling because I got tired of each change 
>to the
>firwalling command and syntax and wanted something a little less changeable.
>I also found that the ipfilter syntax and features just plain rocked.
>
>I use OpenBSD 2.8 for my firewall and love it. I will be going 3.0 soon.
>I use started using FreeBSD more in the last year because ipfw can do
>Equal Cost Multipath Routing without fiddling with add on tools like iproute
>and ipfw kicks ass for simulating WAN testing, dynamic rulesets, and other 
>cool stuff.
>The VPN setup is a breeze with racoon or isakmpd, I can email you the file 
>I have
>on connecting to Checkpoint, I think I still have it around somewhere.
>
>FWIW, keep OpenBSD and still train yourself on ipchains.
>Have a dual boot system so you can try out new rules on both and do a
>real comparison of which firewalling setup you are the most comfortble with.
>
>The BSD Heretic (JLF) Sends...
>
>My.02
>
>On Mon, Jan 14, 2002 at 12:15:18PM -0700, Jeffrey Pyne wrote:
> > I got Cox' conversion kit in the mail this weekend, so I guess I need 
> to switch over to their new "hi-speed" service.  While I'm switching, I 
> thought I might as well upgrade my firewall.  I'm currently using OpenBSD 
> 2.6, and this baby has been running trouble-free for 2 1/2 years (not 
> including a couple power outages).  I've been thinking about switching to 
> Linux, since iptables now offers "stateful" firewalling (the lack of that 
> functionality in ipchains led me to go with OpenBSD way back when).  My 
> requirements are as follows:
> >
> > 1) Must be able to handle DHCP since Cox.net apparently won't offer any 
> static IP addresses (*sniff*)-- not just in terms of getting an IP 
> address, but also in terms of the firewalling
> > 2) Must be able to establish a VPN tunnel to a Checkpoint firewall-- I 
> know Linux can do it with FreeS/WAN, and a quick search of Google leads 
> me to believe OpenBSD can handle it as well
> > 3) Must be able to "redirect" incoming traffic to other IP 
> addresses/ports on the internal LAN- OpenBSD does that beautifully, and I 
> imagine iptables does that now, too.
> > 4) Must be able to NAT the internal LAN for outbound traffic- should be 
> a no-brainer for both Linux and OpenBSD
> > 5) Must be as rock-solid as my OpenBSD firewall has proven to be over 
> the years
> >
> > So, would anyone care to offer their input about whether I should 
> upgrade to OpenBSD 3.0 or move to a Linux platform?  Any caveats, 
> gotchas, or bugaboos?  Any particular strengths or weaknesses RE: any of 
> my requirements?  Anyone ever set up a VPN tunnel to a Checkpoint 
> firewall who would like to share any insight or experiences?  Anybody 
> else made the switch over to Cox.net and have anything to say (I noticed 
> on there web page that their DHCP leases expire every 4 hours)?  Any 
> particularly good documentation that you might like to share?  I am very 
> intrigued by some of the floppy-based Linii, but I'm really interested 
> more in whether the solution can handle the above requirements than how 
> much space the installation requires.
> >
> > Thanks in advance,
> >
> > ~Jeff
>--
>Jean Francois - JLF Sends...
>"Tell them we are not Gods, but SysAdmins, which is the next best thing."
>
>________________________________________________
>See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't 
>post to the list quickly and you use Netscape to write mail.
>
>PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.mybutt.net
>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss