BSD Firewall (long)

Jay Nelson jay@REDACTED
Thu Jul 10 07:46:12 CEST 2003

Thanks for all the tips.  I got set up with OpenBSD.  I chose
it because the security seemed to be its strongest point
and the tutorials were as good as those I found on the other
variants.  I've been reading as much as I can and have made
significant progress -- I am now booting from a 64MB flash
card on a diskless, fanless computer.  Total silence.  I can
hopefully soon eliminate all my other noisy servers.

Everything is very similar to Linux in terms of administration
(I've used System V, Solaris, Linux and other variants, so at
least a lot of the utilities are familiar).  I really like the NAT /
packet filtering features offered by pf.  ipchains may be very
similar, but I've never gotten good tutorials on how to use it
so I can't tell.  With pf I can have multiple firewalls, multiple
internal networks, NAT along with packet scrubbing (fixing up
bogus headers used in denial attacks), port and address
redirection, filtering including even the flags in the TCP headers
as well as spam delay and best of all the ability to easily send
all packets to a separate machine for logging.  I haven't learned
how yet, but there seems also the ability to do load balancing
and bandwidth reservation.

The thing I like best about OpenBSD is that it feels smaller than
Linux and that most things are controlled by a single configuration
file.  I have built a smaller kernel, downloaded a flash disk writer,
and am in the process of configuring the firewall.  It feels safer
because there is less code and because the resources I have
used seem to cover the basics very well (it may be that I am just
ignorant of all the real problems).

Here are some resources that I use, in case others want to do
some investigation:

O'Reilly Network LAMP (Linux, Apache, MySQL, PHP, Python, Perl)
[Click on BSD, then Securing Small Networks]
OpenBSD Journal
OpenBSD Forums

 > Why not continue using Linux?

I was first interested in BSD because I felt Linux wasn't secure
enough for a firewall and wanted to look for something that seemed
to be more secure.  I also prefer something that is less popular
and not so large so that I can better understand all the workings
and can participate in a community that is choosing a technology
for there own reasons rather than trendiness.  Bottom line is that
I get bored easily and am always looking to learn something new.

Don't get me wrong, I like Linux as a desktop and development
environment.  I needed something that I can easily make into an
embedded device because I am convinced that is the future of
software.  Now is the time to learn the fundamentals before the big
companies make it all too complicated.

Ultimately I want to assemble a box with built-in dedicated turnkey
firewall, database, web / game and email servers with a network
of chips for running services written in erlang.  If anyone is interested
in acquiring any of the following, please let me know what your
desires are:

1) OpenBSD diskless firewall appliance plus books on OpenBSD
        and configuring a pf firewall

2) Pre-installed OpenBSD erlang appliance(s) plus books -- plug N
        play development PC

3) Single box including OpenBSD firewall plus 5 to 50 processors
        each preconfigured as an erlang node

I am using 500MHz to 1GHz x86 low power mboards in a case
measuring 9" x 11.5" x 2"  or 23cm x 29cm x 4.5cm


More information about the erlang-questions mailing list