[BUGS] firewalls
Jerahmy Pocott
quakenet1 at optusnet.com.au
Sun Dec 23 00:35:05 EST 2007
On 22/12/2007, at 1:51 PM, Glenn wrote:
> Hi,
> at home I have a DSLG604 ADSL router with built in fire wall. The
> fire wall is configured to allow all traffic out and no traffic in.
> My workstation (FBSD 6.2) does not run a firewall and I'm wondering
> if I should.
That's fairly standard.
> Other machines on the network run Windows and have a firewall
> enabled so I
> guess I'm feeling a bit "naked".
To be honest I disable windows firewall on system I'm involved with,
it causes more headaches for me to administer than it provides
protection for anything (For example in the default configuration it
blocks PING).
> Do I really need one and if yes would pf be a good choice?
That depends on what you need to firewall from..
Your gateway is denying all incoming traffic, NAT in itself provides a
sort of firewall anyway, only established sockets can communicate
through your NAT gateway. Do you want to stop packets going OUT from
your machine? Then you will want a firewall. Do you want to stop
anyone on the local LAN from connecting to your machine? Then you will
want a firewall. If neither of those are true then there is no reason
to bother with one except for 'fun' or learning experience.
The three main choices are IPFW, IPF and PF (I think?). That being
IPFireWall, IPFilter and PacketFilter respectively, each of those come
ready build with all versions starting at 6.0 (or was it earlier?).
Any way IPFW was written 'for' FBSD and was always the default
previously. Personally I quite like it and have never had any problems
with it. IPF is very popular and it had stateful packet inspection
before IPFW did I think, but that's no longer an issue, it's about as
easy to set up as IPFW in my opinion and probably has better user-land
tools to inspect stats etc, though its configuration doesn't support
variables or scripting (I think they are adding that in the next
version) where IPFWs configuration can be a shell script. As for PF
it's fairly new to FBSD and I'v never used it, I'm sure it's quite
good as well..
My personal opinion is that you do not need a firewall, it will not
provide you with any significant additional security, however there is
no harm in having one and configuring it on a system that is not
providing essential network services is a great place to learn about
any of the various firewalls and try them out. So the question is, how
bored are you vs how lazy are you? Me, I'm lazy and wouldn't bother..
Cheers,
J.
More information about the BUGS
mailing list