[unisog] Suggestions for bridging firewall?

Steve Bernard sbernard at gmu.edu
Wed Oct 30 20:42:23 GMT 2002

OpenBSD used 'ipfilter' for a long time but, removed it at version 3.0
because of incompatible licensing changes that were made by the developer of
'ipfilter', Darren Reed. Within a couple of weeks Daniel Hartmeier wrote a
complete replacement for 'ipfilter', 'pf', which is almost 100% ruleset
compatible with 'ipfilter'. The two have some differences but are mostly
similar. 'pf' does all of the standard stuff like stateful inspection,
scrubbing for bad packets, TCP/UDP/ICMP protocols, redirection, NAT, etc. As
I stated before, it is very easy to configure OpenBSD, and FreeBSD for that
matter, as a "transparent" bridging firewall, or as a routing firewall.
OpenBSD has the advantage, in my opinion, because the VPN services are
better and OpenBSD's central purpose is to be a proactively secure OS, with
features like privilege separation, limited 'suid' and 'sgid' programs, work
on ACLs, and support for many hardware platforms. That's not a knock against
FreeBSD or Linux, I just believe that OpenBSD is a better choice for network
security devices.


Steve Bernard
Systems Engineer, NET
George Mason University

-----Original Message-----
From: Robert Dormer [mailto:rdormer at pobox.upenn.edu]
Sent: Tuesday, October 29, 2002 12:45 PM
To: unisog at sans.org
Subject: RE: [unisog] Suggestions for bridging firewall?

I'm not sure if OpenBSD has this as well or not, but FreeBSD has a firewall
program called "ipfilter" that I have found to be *very* usefull.  In
addition to doing NAT, it does statefull inspection of TCP, UDP (!) and ICMP
packets, can be configured to be "transparent" (does not increment hops
count, does not have an IP address), and has a very flexibile and easy to
learn rule format.  The FreeBSD kernel itself can also be set to drop
syn+fin packets, which prevents people from using scanners like nmap to get
an OS fingerprint on a host behind the firewall, as well as several other
usefull things.  If OpenBSD has the same set of features then I would concur
with the others who have recommended it.  If not, I'd seriously consider
taking the time to look into FreeBSD + ipfilter.

My two cents.

Robert Dormer

Information Security - University of Pennsylvania
phone: (215) 573 - 4574
email: rdormer at isc.upenn.edu
security: security at isc.upenn.edu

More information about the unisog mailing list