[unisog] Suggestions for bridging firewall?

Robert Dormer rdormer at pobox.upenn.edu
Tue Oct 29 17:44:56 GMT 2002


I'm not sure if OpenBSD has this as well or not, but FreeBSD has a firewall
program called "ipfilter" that I have found to be *very* usefull.  In
addition to doing NAT, it does statefull inspection of TCP, UDP (!) and ICMP
packets, can be configured to be "transparent" (does not increment hops
count, does not have an IP address), and has a very flexibile and easy to
learn rule format.  The FreeBSD kernel itself can also be set to drop
syn+fin packets, which prevents people from using scanners like nmap to get
an OS fingerprint on a host behind the firewall, as well as several other
usefull things.  If OpenBSD has the same set of features then I would concur
with the others who have recommended it.  If not, I'd seriously consider
taking the time to look into FreeBSD + ipfilter.


My two cents.



Regards,
Robert Dormer

=============
Information Security - University of Pennsylvania
phone: (215) 573 - 4574
email: rdormer at isc.upenn.edu
security: security at isc.upenn.edu





More information about the unisog mailing list