Michael H. Warfield wrote:
> On Mon, Jan 22, 2001 at 11:46:59PM -0500, [EMAIL PROTECTED] wrote:
>
>> Not to put down Linux, I used to be a huge fan, but for a Firewall I use
>> OpenBSD or FreeBSD. They are both free as well, but ipf and ipfw are Much more
>> powerful, and offer stateful inspection. Not to mention the kernel level
>> security in *BSD adds quite a bit more protection to the firewall itself.
>> Sorry if this does not answer the question at all.
>
> No...
>
> You make the common mistake that because OpenBSD is secure then
> FreeBSD is secure and that because FreeBSD is high performance then
> OpenBSD is high performance. They are NOT the same.
Blah blah blah. Here we descend into OS platform holywar wanking.
I won't compare *BSD (nyah nyah) to Linux in general, but I will compare
to redhat; FreeBSD is faster and more secure than a default redhat
install; OpenBSD is likewise. OpenBSD has no SMP support, but for the
average firewall, you won't need it.
OpenBSD is secure out of the box, even more secure once you update to
2.8-current, and plenty fast for a firewall. I feel that linux is a
better choice for the desktop due to the larger base of software which
runs (or runs better) on linux. FreeBSD is a nice choice for, say, a
fileserver. I like OpenBSD as an appliance, or as anything that will not
be behind a firewall. Since a firewall is not behind itself, well, that
tells you my opinion.
All that said, there are some deficiencies in openbsd as a firewall. For
example, my state list has been filling up; I just had to tweak a header
file and I'm now recompiling my kernel. Instructions below for any who
may need them: (Note that you can generate primes with /usr/games/primes
if you installed the games tarball)
Peter Debono sent me this email as a response to a message I posted to
the OpenBSD tech mailing list:
I quote from :
http://www.geocrawler.com/archives/3/256/2000/12/0/4787749/
Message: 4787749
FROM: pobox.com
DATE: 12/06/2000 18:52:05
SUBJECT: RE: problem with keep state limit
<...>
Yes, you have way more traffic than the default state table size(s)
can manage.
You can change the state table size by tweaking IPSTATE_SIZE and
IPSTATE_MAX in /usr/src/sys/netinet/ip_state.h.
IPSTATE_SIZE is the size of the hash table used to store
states. IPSTATE_MAX is the maximum number of states held in this
hash table.
The rules are :
IPSTATE_SIZE is a prime
IPSTATE_MAX ~= 0.7 * IPSTATE_SIZE
(yes in 3.3.16, max > size, but that's wrong)
You will have to estimate your average TCP session duration and
adjust these two knobs accordingly. For example, for an average of 1
minute per TCP session, and 100 sessions per second, I would use max =
7200 (100*60+20%) and size = the next prime after 7200/0.7.
<...>
I hope this is useful to you.
-Peter
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
