Contributed by Dengue on from the d-&-t-fan-club dept.
"It is difficult however for someone who currently does not work in a corporate environment to learn how to properly configure the rulesets for a firewall.
Over the weekend, I replaced my DSL router with emBSD, a stripped down version of OpenBSD running Ipfilter. Installation was easy, and in about 12 minutes, I had a firewall up and running. Because I now control every aspect of the firewall, I am able to test and try out complex rulesets on a production quality firewall.
Also, ipfilter's ruleset language seems infinitely more intuitive and easier to understand than ipchains. Also, Ipfilter is stateful, like netfilter, while ipchains is not.
Most of us cannot afford something such as Raptor or Firewall 1. Nor is there any reason to believe that spending $25K on a firewall means it's a better or more importantly, a more secure firewall. In my experience in consulting, I have notice that it is generally a poor understanding of rulesets which result in poor firewall security. Ipfilter run at home or in a small office environment is perfect for setting up NAT as well as having a secure firewall for very little money. I am running mine on an old Penitum 133Mhz + 64Meg on a 64Meg Sandisk IDE. It works beautifully. It then would seem that as far as firewalls go, Ipfilter is the most cost effective, accessable stateful firewall available.
I would recommend all sys admins out there as well as managers to take a look at OpenBSD + Ipfilter as an alternative to buying one of the large commercial firewalls. OpenBSD is secure by default, and Ipfilter is easy to configure and use, and it's stateful. It runs happily on very low end hardware, and once setup, it just runs and runs.
I would also recommend anyone who is interested in learning more about firewalls to set one up."
(Comments are closed)