 |
 |
Hardware vs Software Firewall - experiences?
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Aug 2003
Location: norway
Status:
Offline
|
|
I have a webserver i would like to move out from behind its current airport NATed network to its own, independent IP-address.
I imagine a setup where my DSL-modem connects to a switch which connects to 1) the airport base station, and 2) the webserver. For connection 2), a firewall seems like a good idea... 
The question is - which firewall? To answer this, I am wondering if anyone has any input on:
1) The pros and cons of hardware vs. software firewalls?
2) A good hardware firewall? Do you have one that you are happy with which you could recommend? One which can be configured reasonably easily from a Mac? (A few posts concerning firewalls on this forum complain that you need a PC to configure them)
3) A good software firewall? (I realise OSX comes with a built in firewall, but I'm looking for one which offers a bit more control - like limiting outgoing connections)
Any thoughts would be much appreciated.
Thanks.
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jul 2002
Location: Boston, MA
Status:
Offline
|
|
You should be able to filter packets in either direction with ipfw.
From the man page:
" Each packet can be filtered based on the following information that is
associated with it:
Transmit and receive interface (by name or address)
Direction (incoming or outgoing)
Source and destination IP address (possibly masked)
Protocol (TCP, UDP, ICMP, etc.)
Source and destination port (lists, ranges or masks)
TCP flags
IP fragment flag
IP options
ICMP types"
For example, if you run sudo ipfw list from the terminal with the default rules from Apple running you will get something like this:
02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 224.0.0.0/3 to any in
02040 deny tcp from any to 224.0.0.0/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
12190 deny tcp from any to any
65535 allow ip from any to any
Note the in and out keywords indicationg direction as you glance through the listing.
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Apr 2001
Status:
Offline
|
|
In my impression, there's no software "stateful packet inspection" (SPI) firewalls. I've long been fascinated by Sonicwall since it's a "prosumer" grade certified SPI hardware firewall, but now I see SPI firewalls are making its way into many cheap consumer grade SOHO routers as well, such as SMC's Barricades or the Motorola SBG-1000 wireless cable modem.
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jul 2002
Location: Boston, MA
Status:
Offline
|
|
ipfw can indeed maintain state in a similar fashion to the products you mention:
more man page action:
" If the ruleset includes one or more rules with the keep-state option,
then ipfw assumes a stateful behaviour, i.e. upon a match will create
dynamic rules matching the exact parameters (addresses and ports) of the
matching packet.
These dynamic rules, which have a limited lifetime, are checked at the
first occurrence of a check-state or keep-state rule, and are typically
used to open the firewall on-demand to legitimate traffic only. See the
RULE FORMAT and EXAMPLES sections below for more information on the
stateful behaviour of ipfw."
With that, I would not say that ipfw operates in a way as advanced or efficient as Checkpoint FW-1, Netscreen ScreenOS, Cisco PixOS or Sonicwall (I have no experience using Sonicwall), but for the purpose in question and the lack of any real financial expenditure save for time (time == money naturally, but not on a personal project) I would say ipfw is definitely a viable and very inexpensive option in this case.
Consumer SOHO options are nice, simple to use in most cases and as effective as software firewalls (pf, ipfw, ipf etc.), but now you're shelling out hard earned cash for something you could have done without that expenditure and a few minutes searching webpages for a quick tutorial on configuration options of which there are many and endless mail-list threads to boot.
So I guess I'm saying either way you're covered by a very capable product regardless of what direction you go. It all comes down to the pricetag at this point and how intimate you want to get with firewall policy mainteinance.
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Aug 2003
Location: norway
Status:
Offline
|
|
Thanks for your time and input on this. I'll definitely look into the ipfw option, and check out the hardware suggestions you offered. As you say - its just a personal project, trying to learn as much as possible about doing things relatively securely and responsibly along the way. Thanks! 
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Apr 2000
Location: Los Angeles, CA
Status:
Offline
|
|
Linux Netfilter (available in kernel 2.4 and above) implements a stateful packet inspection firewall. It was one of the first, if not the first, software SPI firewall.
In my limited experience of using both software and hardware firewalls in a college campus network, the benefits of having a hardware firewall is ease of use and performance. In a small LAN, the Linux router/firewall was more than sufficient, and although it did well to handle the entire college campus, the requirements for the box did go up a bit (RAM mostly).
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
