With the new release of OpenBSD (3.0) didn't they change the firewalling? I don't believe they are still using IPF. Upgrading to the new version of OpenBSD may be the same hassle as switching to Linux. Gilbert At 06:06 PM 1/17/2002 -0700, you wrote: >I feel like I stepped into a vi vs. emacs or csh vs. ksh thread :) > >It really isn't a question of which is better but which you know best. >Your security will be at its peak if you fully understand what tool you >are using. >if you are comfortable with ipfilter(now ipf), changing to ipchains will >mean learning >a new syntax. I would do that on an internal system and leave the battle >tested >config running until I felt comfortable enuff to switch it out. >I stopped using Linux for firewalling because I got tired of each change >to the >firwalling command and syntax and wanted something a little less changeable. >I also found that the ipfilter syntax and features just plain rocked. > >I use OpenBSD 2.8 for my firewall and love it. I will be going 3.0 soon. >I use started using FreeBSD more in the last year because ipfw can do >Equal Cost Multipath Routing without fiddling with add on tools like iproute >and ipfw kicks ass for simulating WAN testing, dynamic rulesets, and other >cool stuff. >The VPN setup is a breeze with racoon or isakmpd, I can email you the file >I have >on connecting to Checkpoint, I think I still have it around somewhere. > >FWIW, keep OpenBSD and still train yourself on ipchains. >Have a dual boot system so you can try out new rules on both and do a >real comparison of which firewalling setup you are the most comfortble with. > >The BSD Heretic (JLF) Sends... > >My.02 > >On Mon, Jan 14, 2002 at 12:15:18PM -0700, Jeffrey Pyne wrote: > > I got Cox' conversion kit in the mail this weekend, so I guess I need > to switch over to their new "hi-speed" service. While I'm switching, I > thought I might as well upgrade my firewall. I'm currently using OpenBSD > 2.6, and this baby has been running trouble-free for 2 1/2 years (not > including a couple power outages). I've been thinking about switching to > Linux, since iptables now offers "stateful" firewalling (the lack of that > functionality in ipchains led me to go with OpenBSD way back when). My > requirements are as follows: > > > > 1) Must be able to handle DHCP since Cox.net apparently won't offer any > static IP addresses (*sniff*)-- not just in terms of getting an IP > address, but also in terms of the firewalling > > 2) Must be able to establish a VPN tunnel to a Checkpoint firewall-- I > know Linux can do it with FreeS/WAN, and a quick search of Google leads > me to believe OpenBSD can handle it as well > > 3) Must be able to "redirect" incoming traffic to other IP > addresses/ports on the internal LAN- OpenBSD does that beautifully, and I > imagine iptables does that now, too. > > 4) Must be able to NAT the internal LAN for outbound traffic- should be > a no-brainer for both Linux and OpenBSD > > 5) Must be as rock-solid as my OpenBSD firewall has proven to be over > the years > > > > So, would anyone care to offer their input about whether I should > upgrade to OpenBSD 3.0 or move to a Linux platform? Any caveats, > gotchas, or bugaboos? Any particular strengths or weaknesses RE: any of > my requirements? Anyone ever set up a VPN tunnel to a Checkpoint > firewall who would like to share any insight or experiences? Anybody > else made the switch over to Cox.net and have anything to say (I noticed > on there web page that their DHCP leases expire every 4 hours)? Any > particularly good documentation that you might like to share? I am very > intrigued by some of the floppy-based Linii, but I'm really interested > more in whether the solution can handle the above requirements than how > much space the installation requires. > > > > Thanks in advance, > > > > ~Jeff >-- >Jean Francois - JLF Sends... >"Tell them we are not Gods, but SysAdmins, which is the next best thing." > >________________________________________________ >See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't >post to the list quickly and you use Netscape to write mail. > >PLUG-discuss mailing list - PLUG-discuss@lists.plug.mybutt.net >http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss