[rescue] RFA: firewall

Jonathan C. Patschke jp at celestrion.net
Sun Jan 9 23:18:13 CST 2005 

On Sun, 9 Jan 2005, Patrick Finnegan wrote:

> I've never actually used OpenBSD, but from what I hear, pf is "nice" to
> configure, but I've had no problems doing what I've wanted to with
> iptables on Linux.

The huge difference between iptables and pf is that in iptables, you
essentially have a shell script where you form these long chains of
packet processing by assigning packets of various jumps/targets, and
netfilter uses this both to assign behavior and classification to a
packet.

   ext_if=eth0
   ext_ip=`ifconfig $ext_if | grep 'inet addr' | sed -e 's/:/ /g' |
           cut -d' ' -f 3`
   IPTABLES=/usr/bin/iptables
   $IPTABLES -F
   $IPTABLES -A POSTROUTING -t nat -s 192.168.0.0/24 -o $ext_if -j
             SNAT --to-source $ext_ip
   $IPTABLES -t nat -A PREROUTING -p tcp -d $ext_ip --dport 80 -j DNAT \
             --to-destination 192.168.0.2
   $IPTABLES -t nat -A PREROUTING -p tcp -d $ext_ip --dport 443 -j DNAT \
             --to-destination 192.168.0.2
   $IPTABLES -t nat -A PREROUTING -p tcp -d $ext_ip --dport 25 -j DNAT \
             --to-destination 192.168.0.3
   $IPTABLES -t nat -A PREROUTING -p tcp -d $ext_ip --dport 22 -j DNAT \
             --to-destination 192.168.0.4

In pf, you have a config file with rules that say what goes where
like this, with different predicates for how a packet should be treated
(instead of just a label like DNAT or DROP):

   ext_if = "le0"
   nat on $ext_if from 192.168.0.0/24 to !192.168.0.0/24 -> $ext_if
   rdr on $ext_if proto tcp from any to $ext_if port 80  -> 192.168.0.2
   rdr on $ext_if proto tcp from any to $ext_if port 443 -> 192.168.0.2
   rdr on $ext_if proto tcp from any to $ext_if port 25  -> 192.168.0.3
   rdr on $ext_if proto tcp from any to $ext_if port 22  -> 192.168.0.4

To me, while Linux and BSD are mostly interchangeable and should be
picked due to personal choice (taken in consideration with the
administrator's abilities and the other machines on the network), this
is one of the few cases where BSD is a slam dunk.  pf's configuration
file is, to me, much easier to read, and even easier for a novice to
understand.

Even if you're stuck with a BSD that uses the older Reed ipf filter,
it's only marginally harder to read and understand than the new OpenBSD
pf stuff.

-- 
Jonathan Patschke ) "I've built my whole system with [-fomit-frame-pointer]
Elgin, TX        (  cause it was recommended...as I don't care if a program
USA               ) crashes, not interested in finding out why."
                  (                    --Tim, Another Satisfied Gentoo User

More information about the rescue mailing list