[unisog] Suggestions for bridging firewall?

Adam Getchell AdamG at hrrm.ucdavis.edu
Thu Oct 31 04:38:50 GMT 2002

I've been running an OpenBSD based pf firewall for a year and a half now.

Pf does transparent bridging, NAT, and stateful packet inspection. The state
tables are AVL trees, permitting rule evaluation in log(n) operations, and
rules themselves can be easily (and automatically) optimized at load time
using skip steps.

It has a very clean and easy to use rules syntax, with labels, macros, !, <,
>, <>, ><, {, }, flags, and other operators that allow you to do what you
want with very few rules.

It also has a few features I haven't seen in other firewalls, such as scrub
rules (fragment reassembly and packet normalization), authpf (rules based on
user authentication), and modulate state for TCP (truly random sequence
number generation for clients that don't have good sequence generators).

NAT has nat, binat (bi-directional NAT), and rdr rules that automatically
keep state on connections.

It will keep state even on stateless packets such as UDP and ICMP, which
makes writing sane rules for them easy.

It reads port numbers from /etc/services, so you can refer to common ports
there, and upcoming 3.2 has automatic spoof rules to auto-preclude packets
with forged IP addresses.

In short, I've had pretty good experience in safeguarding important
information using pf and OpenBSD.

And the price is right: free! Well, you should support the project by buying
a CD. I've also helped out others on my campus set up and use transparent
bridging firewalls: a old Pentium 200 workstation with 32MB of memory has
been firewalling a department of 160+ machines on 100MB LAN, ruleset ~ 20
rules, with CPU usage no greater than 94% free, with an average 99% free,
and close to 2 months uptime.

*	Adam Getchell
AdamG at hrrm.ucdavis.edu
*	System Architect/Programmer			(530) 752-1584
*	Human Resources Information Systems
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu

-----Original Message-----
From: Robert Dormer [mailto:rdormer at pobox.upenn.edu] 
Sent: Tuesday, October 29, 2002 9:45 AM
To: unisog at sans.org
Subject: RE: [unisog] Suggestions for bridging firewall?

I'm not sure if OpenBSD has this as well or not, but FreeBSD has a firewall
program called "ipfilter" that I have found to be *very* usefull.  In
addition to doing NAT, it does statefull inspection of TCP, UDP (!) and ICMP
packets, can be configured to be "transparent" (does not increment hops
count, does not have an IP address), and has a very flexibile and easy to
learn rule format.  The FreeBSD kernel itself can also be set to drop
syn+fin packets, which prevents people from using scanners like nmap to 
an OS fingerprint on a host behind the firewall, as well as several other
usefull things.  If OpenBSD has the same set of features then I would concur
with the others who have recommended it.  If not, I'd seriously consider
taking the time to look into FreeBSD + ipfilter.

My two cents.

Robert Dormer

Information Security - University of Pennsylvania
phone: (215) 573 - 4574
email: rdormer at isc.upenn.edu
security: security at isc.upenn.edu

More information about the unisog mailing list