Re: router / firewall with PF and carp.
Le Fri, 01 Oct 2010 08:24:30 -0400, Kevin Kobb a écrit : > Both would probably be fine. However, I would recommend taking a look > at pfsense if I were you. It is made to do what you want without as > much of the overhead as a full blown *BSD install. > > It is easier to configure, update, the documentation is good, and you > can get top notch paid support from the developers if you want. Pfsense was our first choice but it does not handle IPv6 yet. http://doc.pfsense.org/index.php/Is_there_IPv6_support_available Thanks to all for yours replies, regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: router / firewall with PF and carp.
On 1 October 2010 15:34, Kevin Wilcox wrote: > On 1 October 2010 10:16, Daniel Bye > wrote: > > > On Fri, Oct 01, 2010 at 09:40:56AM -0400, Kevin Wilcox wrote: > > >> Krad, I was under the impression that 'audit' from TrustedBSD is built > >> into FreeBSD. Is there a facility in OpenBSD that is "better" or is > >> there something in 'audit' that is lacking? > > > I think krad is referring to the well-publicised code audit that the > OpenBSD > > project conducts, rather than the TrustedBSD audit framework. As far as I > > know, OpenBSD doesn't have anything comparable, but it's a long time > since I > > looked at it, so I might be typing out of me ear... > > Dan, that makes perfect sense. I'm working up a BSD presentation for > the local LUG next week and the latest compare/contrast I was working > on was SELinux/GrSecurity/Pax versus TrustedBSD; my brain immediately > parsed auditing as an audit trail, not the immense code audit for the > base system. > > Thanks for the reality check!! > > kmw > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > I know what you mean, whenever i have worked with SELINUX policies and the bsd MAC framework, it has fried my brain a little 8) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: router / firewall with PF and carp.
On 1 October 2010 10:16, Daniel Bye wrote: > On Fri, Oct 01, 2010 at 09:40:56AM -0400, Kevin Wilcox wrote: >> Krad, I was under the impression that 'audit' from TrustedBSD is built >> into FreeBSD. Is there a facility in OpenBSD that is "better" or is >> there something in 'audit' that is lacking? > I think krad is referring to the well-publicised code audit that the OpenBSD > project conducts, rather than the TrustedBSD audit framework. As far as I > know, OpenBSD doesn't have anything comparable, but it's a long time since I > looked at it, so I might be typing out of me ear... Dan, that makes perfect sense. I'm working up a BSD presentation for the local LUG next week and the latest compare/contrast I was working on was SELinux/GrSecurity/Pax versus TrustedBSD; my brain immediately parsed auditing as an audit trail, not the immense code audit for the base system. Thanks for the reality check!! kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: router / firewall with PF and carp.
On Fri, Oct 01, 2010 at 09:40:56AM -0400, Kevin Wilcox wrote: > On 1 October 2010 05:29, krad wrote: > > > In my experiance freebsd should work fine. However I would say openbsd is > > probably better suited to your needs, due to its tighter security model > > (auditing) > > Krad, I was under the impression that 'audit' from TrustedBSD is built > into FreeBSD. Is there a facility in OpenBSD that is "better" or is > there something in 'audit' that is lacking? I think krad is referring to the well-publicised code audit that the OpenBSD project conducts, rather than the TrustedBSD audit framework. As far as I know, OpenBSD doesn't have anything comparable, but it's a long time since I looked at it, so I might be typing out of me ear... Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpu4rTdktZV6.pgp Description: PGP signature
Re: router / firewall with PF and carp.
On 1 October 2010 05:29, krad wrote: > In my experiance freebsd should work fine. However I would say openbsd is > probably better suited to your needs, due to its tighter security model > (auditing) Krad, I was under the impression that 'audit' from TrustedBSD is built into FreeBSD. Is there a facility in OpenBSD that is "better" or is there something in 'audit' that is lacking? Thanks! kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: router / firewall with PF and carp.
Both would probably be fine. However, I would recommend taking a look at pfsense if I were you. It is made to do what you want without as much of the overhead as a full blown *BSD install. It is easier to configure, update, the documentation is good, and you can get top notch paid support from the developers if you want. On 9/30/2010 6:19 PM, Patrick Lamaiziere wrote: Hi, We are in the process to replace two Cisco Pix firewalls and one Cisco router with two servers running PF with carp. The network is large (it is an University) and all will depend on this two machines. We have made some tests with OpenBSD, PF and OpenBGPD and it looks to work (but we have to make a lot of more tests to validate this). I think that the support for an OpenBSD release is very small (only one year) and I'm suggesting to use FreeBSD instead (we can expect ~3/4 years of support if we follow a stable branch). I am an happy user of FreeBSD since some time - I mean that I know it is not perfect and there are some bugs! - but I dont have any experience running it as a router on a large network. So, are PF and carp expected to work fine on FreeBSD or are there some known problems? Do you think that OpenBSD suits better for this? Thanks, regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: router / firewall with PF and carp.
I can say that both of them are pretty good choice, in my personal experience I had the same configuration that you are planning to implement qith two servers on OpenBsd 4.6 + carp+ bgp as a router in a huge network , the only problem was some well know bug with carp and bgp..that for some reason some times one of the server nic (carp-backup) try to became master, when wasn't necesary... and the routes were screwed up. But now with the new openbsd 4.8, if i were you I would give it a try Jorge E. Espada On Fri, Oct 1, 2010 at 6:29 AM, krad wrote: > On 30 September 2010 23:19, Patrick Lamaiziere >wrote: > > > Hi, > > > > We are in the process to replace two Cisco Pix firewalls and one Cisco > > router with two servers running PF with carp. The network is large > > (it is an University) and all will depend on this two machines. > > > > We have made some tests with OpenBSD, PF and OpenBGPD and it looks to > > work (but we have to make a lot of more tests to validate this). > > > > I think that the support for an OpenBSD release is very small (only one > > year) and I'm suggesting to use FreeBSD instead (we can expect ~3/4 > > years of support if we follow a stable branch). > > > > I am an happy user of FreeBSD since some time - I mean that I know it is > > not perfect and there are some bugs! - but I dont have any experience > > running it as a router on a large network. So, are PF and carp expected > > to work fine on FreeBSD or are there some known problems? > > > > Do you think that OpenBSD suits better for this? > > > > Thanks, regards. > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > > freebsd-questions-unsubscr...@freebsd.org" > > > > In my experiance freebsd should work fine. However I would say openbsd is > probably better suited to your needs, due to its tighter security model > (auditing) You will also get a newer version of pf with openbsd. If you get > issues with openBGP would could look at quagga. I have used it in the past > but havent for a while so am not sure of the state of it now. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: router / firewall with PF and carp.
On 30 September 2010 23:19, Patrick Lamaiziere wrote: > Hi, > > We are in the process to replace two Cisco Pix firewalls and one Cisco > router with two servers running PF with carp. The network is large > (it is an University) and all will depend on this two machines. > > We have made some tests with OpenBSD, PF and OpenBGPD and it looks to > work (but we have to make a lot of more tests to validate this). > > I think that the support for an OpenBSD release is very small (only one > year) and I'm suggesting to use FreeBSD instead (we can expect ~3/4 > years of support if we follow a stable branch). > > I am an happy user of FreeBSD since some time - I mean that I know it is > not perfect and there are some bugs! - but I dont have any experience > running it as a router on a large network. So, are PF and carp expected > to work fine on FreeBSD or are there some known problems? > > Do you think that OpenBSD suits better for this? > > Thanks, regards. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > In my experiance freebsd should work fine. However I would say openbsd is probably better suited to your needs, due to its tighter security model (auditing) You will also get a newer version of pf with openbsd. If you get issues with openBGP would could look at quagga. I have used it in the past but havent for a while so am not sure of the state of it now. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
router / firewall with PF and carp.
Hi, We are in the process to replace two Cisco Pix firewalls and one Cisco router with two servers running PF with carp. The network is large (it is an University) and all will depend on this two machines. We have made some tests with OpenBSD, PF and OpenBGPD and it looks to work (but we have to make a lot of more tests to validate this). I think that the support for an OpenBSD release is very small (only one year) and I'm suggesting to use FreeBSD instead (we can expect ~3/4 years of support if we follow a stable branch). I am an happy user of FreeBSD since some time - I mean that I know it is not perfect and there are some bugs! - but I dont have any experience running it as a router on a large network. So, are PF and carp expected to work fine on FreeBSD or are there some known problems? Do you think that OpenBSD suits better for this? Thanks, regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"