nanog mailing list archives
Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
From: Tony Kapela <xam () chalupa wi2600 org>
Date: Sat, 18 Jan 2003 11:12:27 -0600 (CST)
On Sat, 18 Jan 2003, Scott Francis wrote:
2. I happen to like a host-based firewall (a firewall running on a normal user OS like FreeBSD) better than an appliance. You get to do anything you need with it, you have a full compliment of unix tools like grep and awk and tcpdump and expect, etc. - it seems like you have more control. Assuming (for a moment) that performance were equal, does anyone else feel this way ? Does anyone else prefer a normal system for a firewall over, say, a PIX ?I'm with you on that, mainly for (a) flexibility of configuration, (b) ease/speed of upgrades/patches, and (c) price involved in purchase and maintenance. Also as you mentioned, a firewall that starts out just filtering can later be modified easily to capture packets for analysis later, run active or passive intrusion detection, etc.
I'm in total agreement as to the untily and significant headache-reduction that a *bsd os (with real interactive editor makes -- Vi for IOS must be too challenging). However, I do see a sore spot. One area that I've not seen much attention paid to (yet?) is failover. Don't assume that I'm advocating the use of a PIX here, but has anyone yet successfully used ipf/pf to export and then import the state tables on a backup host? In my experience, doing that w/ PIXen has been quite simple. Forget all the ARP/ifconfig/heartbeat fudgery that'd be required to acheive failover on *bsd with ipf/pf -- just finding a simple way to move said state table from host to host seems interesting and challenging. How do we adress availability concerns while using comodity hardware and Os's? Are they valid concerns, even? <G> --Tk
Current thread:
- Re: Cross country networks, and data replication... Questions... :-), (continued)
- Re: Cross country networks, and data replication... Questions... :-) Jared Mauch (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Mikael Abrahamsson (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls dre (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls David G. Andersen (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Scott Francis (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Avleen Vig (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Richard A Steenbergen (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Scott Francis (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Richard A Steenbergen (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Avleen Vig (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls E.B. Dreger (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Tony Kapela (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Avleen Vig (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Stefan Paletta (Jan 18)