Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls

[Tony Kapela <xam () chalupa wi2600 org>]

On Sat, 18 Jan 2003, Scott Francis wrote:

> > 2. I happen to like a host-based firewall (a firewall running on a normal
> > user OS like FreeBSD) better than an appliance.  You get to do anything
> > you need with it, you have a full compliment of unix tools like grep and
> > awk and tcpdump and expect, etc. - it seems like you have more control.
> > Assuming (for a moment) that performance were equal, does anyone else feel
> > this way ?  Does anyone else prefer a normal system for a firewall over,
> > say, a PIX ?
>
> I'm with you on that, mainly for (a) flexibility of configuration, (b)
> ease/speed of upgrades/patches, and (c) price involved in purchase and
> maintenance. Also as you mentioned, a firewall that starts out just filtering
> can later be modified easily to capture packets for analysis later, run
> active or passive intrusion detection, etc.

I'm in total agreement as to the untily and significant
headache-reduction that a *bsd os (with real interactive editor
makes -- Vi for IOS must be too challenging). However, I do see a sore
spot.

One area that I've not seen much attention paid to (yet?) is  
failover. Don't assume that I'm advocating the use of a PIX
here, but has anyone yet successfully used ipf/pf to export and
then import the state tables on a backup host? In my experience, doing
that w/ PIXen has been quite simple. 

Forget all the ARP/ifconfig/heartbeat fudgery that'd be required to
acheive failover on *bsd with ipf/pf -- just finding a simple way to
move said state table from host to host seems interesting and
challenging. 

How do we adress availability concerns while using comodity hardware and
Os's? Are they valid concerns, even? <G>

--Tk