Best software to use for firewalling

I

Innocast

Hi,

I've used Google to find a suitable software firewall solution for my FreeBSD web server. I'm just checking in here to see what you guys think is the best.

Thank you for any respons.
 
Well, guess I've seen all guides. My question was what YOUR opinion was in the use of a firewall (interface etc).
 
What do you mean by 'interface'? A GUI? None of the built-in firewalls (ipf, ipfw, pf) have a GUI, they're command-line firewalls.

Look into pfsense or m0n0.
 
There is no generic answer to that. All firewalls can do that. You will find though, that a lot of forum members are partial to pf(4), which will (among many other things) allow you to limit connections to your webserver's port (amount of simultaneous connections, connection rate) and to use firewall tables to ward off IP addresses/ranges on the fly. Then there's traffic prioritising/shaping, redirection, anti-spoofing, etc.

All is explained in pf.conf(5) and the 'reference faq'
 
Ah, looks like a nice application! Do I understand correctly that it will analyze the logs of SSH-login attempts and then block unwanted / failed attempts?
 
Innocast said:
Ah, looks like a nice application! Do I understand correctly that it will analyze the logs of SSH-login attempts and then block unwanted / failed attempts?
Click to expand...

Correct. It is basically a logfile analyser that feeds straight into pf.
 
The state of PF in FreeBSD (i've heard) is not good - the cvs is a bit old compared to what is available from the openbsd project to this date.

I have not tried it out yet, so it does not trouble be much ;)

I've also heard the config is clear and easy to follow - compared to ie. iptables in linux...
 
rusma said:
The state of PF in FreeBSD (i've heard) is not good - the cvs is a bit old compared to what is available from the openbsd project to this date.
Click to expand...
That's in relative terms, it's sort of like ZFS. The code isn't bad, it just might not support the newest bells and whistles. It does however do a pretty good job at the things which people generally want to do, even if it doesn't yet support one of the newest additions to the firewall.

Looking into it, there isn't really anything that's must have since they ported the version from OpenBSD 4.1.

PF is nice, and it can do far more than most people could possibly want to do with it. If you consider it, I'd spend the time to read "Book of PF" it's a good read and covers more than you're likely to need to know about it.
 
hedwards said:
[...]
Looking into it, there isn't really anything that's must have since they ported the version from OpenBSD 4.1.
[...]
Click to expand...

I can't believe you - 2.5 years is a pretty long time :) I thought there were some CARP-stuff that has been improved since last time.
 
rusma said:
I can't believe you - 2.5 years is a pretty long time :) I thought there were some CARP-stuff that has been improved since last time.
Click to expand...
Eh, different opinions of must have. The things which most people would want were in there by that point. There's been changes, but PF matured very quickly, most of the work that's been done in the last probably 4 years has been extending functionality. Looking through the summary of changes since then, there's very little listed, and only a couple changes that seem to be of any sort of significance to me.
 
You must log in or register to reply here.
Back
Top