[TriLUG] using a Linux box as a pass-through filter

skippy1 at hickorytech.net skippy1 at hickorytech.net
Tue Dec 21 11:40:37 EST 2004 

OpenBSD does seem to attract a few fanatics, doesn't it.  Linux of course
would never attract anyone like that....

Seriously, the reason I like OpenBSD for firewalls isn't for OpenBSD
itself, though it does have a good security reputation.  Its for the
firewall utility it uses: pf.  I like iptables and have used it many times
but pf is a whole 'nother story.

Advantages to pf:

Much easier to modify specific rules without effect other rules.  Pf lets
you set up tables of addresses and reference the table in various rules. 
You can then add and remove addresses from the table on the fly without
flush the ruleset and readding the rules.  Literally, the command
'pfctl -t tablename -T add 192.168.0.1/24'
and you've blocked or allows a class C.

Pf has the scrub option which does packet reassemble and drops invalid
options.  Iptables can do much of the same things, but not so easily.  I
normally doesn't trust that seem too easy to set up, after using it in a
production environment the scrub option seems to just work.

Pf has a setup for traffic shaping based on ports.  If you want to reserve
half your bandwidth for FPS games and limit http to a quarter, pf lets you
do so.

Bridging is built in.  Back when I looked at doing a bridging firewall in
Linux (several years ago, it may be better now) it took a bit of doing.

Disadvantages to pf:

There is definately a learning curve.  Pf works on a different basic setup
from iptables and it can take a little getting used to.

Its powerful.  Similar to iptables, the syntax can be complex and its not
always obvious if you've made a mistake.

It doesn't deal with FTP quite as well as Iptables does.  Pf has some
options, but the ipconntrack module seems much slicker to me.

My summary:

If you are comfortable with Linux and won't be changing the rules often,
go with Linux and Iptables.

If you are likely to change the rules often and have time to learn Pf, go
with Pf.


Skippy
skippy at skippylair.net

(this rambling msg brought to you by the letters p and f and the word
enthusiast)

> I know there are quite a few folks here who think that any OS outside of
> OpenBSD is just begging to be cracked, but frankly I'm pretty satisfied
> with my Debian box, running exactly the config you're talking about.
> It's been doing so for at least 3 years now, and no problems.  I could
> share my (underlying) iptables rule set with you, if you like.  It's
> rather easy once you have the framework down, in my experience.  I set
> mine up using an article in Linux Magazine as a reference, and their
> sample config as a basis for my own rules.
>
> Let me know if you would like to see my iptables rules.  My experiences
> with *BSD have been (much) less than satisfying, so if you have similar
> experiences, and wish to turn back, I'd be happy to help you get this up
> and running under Linux.
>
> Regards,
> Ben Pitzer
[snip]
>> -----Original Message-----
>> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org]On
>> Behalf Of Dan Monjar
>> Sent: Monday, December 20, 2004 8:55 AM
>> To: TriLug
>> Subject: [TriLUG] using a Linux box as a pass-through filter
>>
>>
>> An idea I had late last night while I listened to the wind howl...
>> would it be possible to setup a Linux box with two nics and use
>> various firewall rules to filter traffic and ports... the possible
>> gotcha is that I don't want either nic to have an IP address.  I want
>> to take traffic in on one port, analyze and drop unwanted packets and
>> then push the acceptable traffic out through the other nic.
>>
>> I want an in-line filter...
>>
>> I wish everyone on the list a Happy and Safe Holiday season.
>> --
>> Dan Monjar

More information about the TriLUG mailing list