[GRLUG] *Need Topics for next meeting

Greg Folkert greg at gregfolkert.net
Wed Mar 5 12:10:08 EST 2008


On Wed, 2008-03-05 at 10:43 -0500, Joe Vanderstelt wrote:
> I know this is not Linux releated but are there any good OpenBSD based
> firewall distros?
> 
> I am currently using pfSence but that is based on FreeBSD.
> 
> Also does any know of any Linux / BSD firewall distro that truely supports IPv6?

For the foreseeable future, IPv6 is a lame dog in the race. (like 5-7
years minimum)

IPv6 has significant obstacles to yet overcome. It has problems like:

        IPv6 being tunneled via IPv4 links (universally, with
        exceptions)
        IPv6 prefixes aren't even fully agreed upon
        IPv6 will add about a ka-jillion GB of data to the routing
        tables in current form and thinking

One the good side though:
        IPv6 is TRULY supported by Linux and BSDs out of the box

The reason that you are not seeing TRUE IPv6 support for firewalls is
that at this point IPv6 is really ONLY on Internet2 and even then
Michnet is doing Tunneling over IPv4 for that connectivity to various
Research departments of universities.

You can take all of you pfSense rules and put them in the floowing
program and it'll make thing.

Wait pfSense? "pf" *IS* OpenBSD, "ipfilter" is FreeBSD...


Well, I have one thing to say:

        Use fwbuilder

http://www.fwbuilder.org/

It supports

      * iptables (multiple version knowledge for more advanced stuff for
        later versions)
      * ipfw
      * ipfilter
      * pf
      * PIX
      * FWSM

and the follwoing related OSes for them (apropos OS for apropos
filtering tech)

      * FreeBSD
      * OpenBSD
      * Linux (2.4.X and 2.6.X)
      * Cisco FWSM
      * Cisco PIX
      * Mac OSX
      * Solaris
      * Linksys/Sveasoft

Third party extensions are also available. Some being integrated into
fwbuilder. If you write a policy kit for it, say for another firewall
product... it should just work.

It got tons of predefined services and host types, networks and other
stuff.

One feature that won me over was that fact that one customer of mine was
using a Cisco PIX, I created the whole rules set in fwbuilder.

They eventually decided to change to a Linux firewall (at my bidding)
and all I had to do was change the OS and policy kit used and everything
was generated and good to go.

So in summary:

Just build a small cheap OpenBSD box and generate your rules with
fwbuilder, export the "script" install it and run it. Doesn't really
matter what distro you run.
-- 
greg at gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://shinobu.grlug.org/pipermail/grlug/attachments/20080305/36a6a9a5/attachment.pgp 


More information about the grlug mailing list