OpenBSD Journal

Ipfilter & emBSD: the ultimate firewall learning tools

Contributed by Dengue on from the d-&-t-fan-club dept.

Albert writes : "As a security consultant, I find it annoying that most people think that a firewall is this mythical object that once placed on your network, will make it into fort knox. Firewalls should be part of your overall security strategy, but not the only part."

"It is difficult however for someone who currently does not work in a corporate environment to learn how to properly configure the rulesets for a firewall.

Over the weekend, I replaced my DSL router with emBSD, a stripped down version of OpenBSD running Ipfilter. Installation was easy, and in about 12 minutes, I had a firewall up and running. Because I now control every aspect of the firewall, I am able to test and try out complex rulesets on a production quality firewall.

Also, ipfilter's ruleset language seems infinitely more intuitive and easier to understand than ipchains. Also, Ipfilter is stateful, like netfilter, while ipchains is not.

Most of us cannot afford something such as Raptor or Firewall 1. Nor is there any reason to believe that spending $25K on a firewall means it's a better or more importantly, a more secure firewall. In my experience in consulting, I have notice that it is generally a poor understanding of rulesets which result in poor firewall security. Ipfilter run at home or in a small office environment is perfect for setting up NAT as well as having a secure firewall for very little money. I am running mine on an old Penitum 133Mhz + 64Meg on a 64Meg Sandisk IDE. It works beautifully. It then would seem that as far as firewalls go, Ipfilter is the most cost effective, accessable stateful firewall available.

I would recommend all sys admins out there as well as managers to take a look at OpenBSD + Ipfilter as an alternative to buying one of the large commercial firewalls. OpenBSD is secure by default, and Ipfilter is easy to configure and use, and it's stateful. It runs happily on very low end hardware, and once setup, it just runs and runs.

I would also recommend anyone who is interested in learning more about firewalls to set one up."

(Comments are closed)

  1. By Alternative Man () on

    Check out the gnat box, a free version runs off a floppy and allows up to five users inside the firewall. It's stateful, based on BSD, has an optional DMZ, web page administration, and no hard drive, no flash required for the free version.

  2. By Curtis () on

    I've never understood why companies feel the need to use commercial firewall systems. How could you possibly justify spending $30000+ on a firewall system? Sure, they sometimes provide some sort of GUI, but for that much money I would expect more.

    You would be much better off putting the money towards a full-time FW admin who can automate the open-source firewall to meet your expectations and needs, instead of what the commercial FW company *thinks* you need.

    OpenBSD + Ipfilter rocks.


  3. By Anonymous Coward () on

    As for me, I would love to use ipf and OpenBSD as the firewall of choice for my 5000 users. Every day my log file is 400K lines, and that is logging
    non-web browsing activity. Web browsing would take 10 times the space. We run on a Sparc Ultra 60 with FW-1, and have more than 75 rules. Adding
    rules via the GUI works, and previewing the activity via a GUI works as well. To process the logs I move them to OpenBSD and use Perl to generate summary reports. I use ipf on an old P2 120 running 2.8 at home for my cable modem setup with NAT and dhcp. Works great. But when you need to lay your job on the line, you don't mind spending the $30,000. I wonder who is using ipf on OpenBSD on the high end. We pump 6 - 8 megbits/sec of data daily through our firewall, anyone doing similar traffic levels care to comment on what platform you are using and how easy it is with ipf?

  4. By Meder () on

    I tried emBSD and the only thing made me use OpenBSD on a firewall is because there is no IPSec there.

  5. By Ken () on

    As one of the developers of OpenBSD I find that people think its either a fix all or its nothing... When it comes down to it, emBSD is still very much in its infancy. the Upcoming release addresses several issues that we have seen from people wanting to use emBSD but havent because or different issues.

    1) Documentation and setup more setup instructions are coming.

    2) Several people have expressed concern about the source. We are in the processes of cleaning up the patches so that they are useful to people besides us. We are toying with the idea to convert the patching process to a port style setup so life is much easier when newer source or releases come out.

    3) The several things were left out that are need to make things a bit nicer, IPSec for one is slated to be make a package for the upcoming release. Also, named, dhcp, ppp, and wireless support.

    4) emBSD is designed as a ipf/router for a small foot print. At this point it is a good firewall and/or router and thats about it. Everyone that just grabs the latest release of this firewall of that firewall and thinks that just by setting it up, poof all your problems are going to go away. It will help with some issues, but it will not solve all your problems. Even tho it will run, there are always new ways coming out to circumvent even some of the best security software available. Pay attention to all the good sources for the latest exploits, use some for of IDS and/or logging, Review those logs and make adjustments to your ruleset as required.

    5) emBSD is not a floppy based system and was never intended to be... there are plans for emBSD that dont allow this, and floppies are not very reliable for long term operations... (when's the last time you lost a document cause a floppy went south on you?)

    I hope this clears up a few issues. And if there are any other issues you would like to know about suggestions etc, feel free to join the mailing list or visit the website at

  6. By Ago () on

    ..are not enough. You need to use proxies too. And use some kind of MAC or similar thing. Like trustedBSD and linux implementations like RSBAC. And if you need good proxy which is modular, extendable trough Python try out zorp. It's written by hungarian experts and they made a good job. It's only available to linux right now but one of the guys told me that they will port it to BSD. . Ohh, and big part of it is GPLd!

  7. By Nick Buraglio () on

    I can say this about commercial firewalls:
    I've worked on Gauntley, PIX, FW-1 and a few other pricey firewalls and the main reason that most of the places went with a commercial product is 3 reasons:
    1. They want someone to blame, as in a company (that is exactly how it was explained to me) if it screws up.

    2. Commercial support. (again the blame factor comes into play again, for misconfiguration, etc.)

    3. Warm Fuzzy- It gives the non-technical upper management a warm fuzzy to look at and think to themselves that they are secure because Checkpoint (or Cisco, or HP, or whatever) says they are.

    It's a stupid reason in my opinion, but hoge companies like fortune 500, 1000, etc. have green to burn on crap like that. Personally I've deployed a good deal of firewalls, VPN devices, etc, and for most of my customers I recommend a BSD based firewall running IPF. Sure, if they have the money to burn I'll get them a PIX and set it up, but 90% of the people will take whatever you tell them to.

  8. By dalton () on

    I agree with the original sentiment that the weakest link in the chain is, generally, the FW admin who looks after the system. The amount of times I've seen a poorly configured ruleset is stunning. Even more so, the amount of times a commercial offering, such as Firewall-1 is just slapped on a unhardened Solaris box is beyond me. It's time that we accepted our role in the security of the systems rather than just relying on the product to do the job.

    There are so many other areas to look at in the security arena, such as social does a product cope with that? It's just a facet of a security solution, not security nirvana.

    Having said that, security from the ground up is the way to go...and to me, that's where OpenBSD fits in. I can't think of any decent alternative...


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]