[BUGS] firewalls

Jerahmy Pocott quakenet1 at optusnet.com.au
Sun Dec 23 00:35:05 EST 2007 

On 22/12/2007, at 1:51 PM, Glenn wrote:

> Hi,
> at home I have a DSLG604 ADSL router with built in fire wall. The  
> fire wall is configured to allow all traffic out and no traffic in.
> My workstation (FBSD 6.2) does not run a firewall and I'm wondering  
> if I should.

That's fairly standard.


> Other machines on the network run Windows and have a firewall  
> enabled so I
> guess I'm feeling a bit "naked".

To be honest I disable windows firewall on system I'm involved with,  
it causes more headaches for me to administer than it provides  
protection for anything (For example in the default configuration it  
blocks PING).


> Do I really need one and if yes would pf be a good choice?

That depends on what you need to firewall from..

Your gateway is denying all incoming traffic, NAT in itself provides a  
sort of firewall anyway, only established sockets can communicate  
through your NAT gateway. Do you want to stop packets going OUT from  
your machine? Then you will want a firewall. Do you want to stop  
anyone on the local LAN from connecting to your machine? Then you will  
want a firewall. If neither of those are true then there is no reason  
to bother with one except for 'fun' or learning experience.

The three main choices are IPFW, IPF and PF (I think?). That being  
IPFireWall, IPFilter and PacketFilter respectively, each of those come  
ready build with all versions starting at 6.0 (or was it earlier?).  
Any way IPFW was written 'for' FBSD and was always the default  
previously. Personally I quite like it and have never had any problems  
with it. IPF is very popular and it had stateful packet inspection  
before IPFW did I think, but that's no longer an issue, it's about as  
easy to set up as IPFW in my opinion and probably has better user-land  
tools to inspect stats etc, though its configuration doesn't support  
variables or scripting (I think they are adding that in the next  
version) where IPFWs configuration can be a shell script. As for PF  
it's fairly new to FBSD and I'v never used it, I'm sure it's quite  
good as well..

My personal opinion is that you do not need a firewall, it will not  
provide you with any significant additional security, however there is  
no harm in having one and configuring it on a system that is not  
providing essential network services is a great place to learn about  
any of the various firewalls and try them out. So the question is, how  
bored are you vs how lazy are you? Me, I'm lazy and wouldn't bother..

Cheers,
J.

More information about the BUGS mailing list