RE: Best IP configuration for OpenBSD firewall/router

[Edward Rustin <ed () well com>]

Sorry :)

I did realize, as several people have pointed out, the netfilter is a
linux thing and that pf is the *BSD equivilent. In my defence I'm a linux
guy and haven't had much experience with any of the BSDs (allthough I
should try to get some more experience with them...)

Edward Rustin
Directory of Security, OnlineGuardians.org

On Mon, 18 Aug 2003, DeGennaro, Gregory wrote:

> OpenBSD PF is superior to Netfilter as well as the OS for security reasons
> alone.  I use it for second tier FW into my home LAN.  Nothing usually gets
> past the first tier (Cisco router using CBAC) but if it does, it will be
> stopped by PF (second tier) on my home network.
>
> However if you are more comfortable with Linux and Netfilter, you should
> stay with it or learn OpenBSD PF before implementing.  The OpenBSD FAQ is
> great place to get started.
>
> http://www.openbsd.org/faq/pf/index.html
>
> Regards,
>
> Greg DeGennaro Jr., CCNP
> Security Analyst
>
>
> -----Original Message-----
> From: chort [mailto:chort () amaunetsgothique com]
> Sent: Monday, August 18, 2003 10:45 AM
> To: Edward Rustin
> Cc: Damon McMahon; security-basics () securityfocus com
> Subject: Re: Best IP configuration for OpenBSD firewall/router
>
> On Mon, 2003-08-18 at 09:24, Edward Rustin wrote:
>
> > I'm also going to assume that you're going to be using some sort of
> > iptables setup on your gateway so that it can perform some firewalling
> > functions as well. So if you've got iptables set up with the appropriate
> > restrictions on incoming traffic then your should be fine (for certain
> > values of fine which include things such as making sure you're secure and
> > patching your system when it needs it...)
>
> Just FYI iptables is the Linux kernel Netfilter.  OpenBSD uses pf for
> packet filtering.
>
> To the original poster, try searching Google for sample pf.conf scripts.
>
> By the way, I agree with the direction you're taking to use OpenBSD for
> your gateway.  I know many people recommend Linux to build a gateway,
> but many Linux distributions are getting bloated now and the kernel
> itself has had a few problems.  Since OpenBSD is a distribution that
> does exhaustive code review and is very minimal by default, and it has
> strong cryptography built in, I would recommend OBSD rather than Linux.
>
> --
> Brian Keefer
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------