[Cumbria] Building firewalls with iptables...

[cumbria@mailman.lug.org.uk]

>Here's the link (it's a long one!) ... 
>http://cedar.intel.com/cgi-bin/ids.dll/content/content.jsp?cntKey=Generic+Editorial%3a%3alinux_stateful_iptables_firewalls_part_one&cntType=IDS_EDITORIAL&catCode=CHV&path=1
>
This is a good, basic, article. But if you really want to use Netfilter in anger, check out http://www.netfilter.org/documentation/


>This will also open up a chance for Ian to tell us all why iptables 
>isn't as a good as pf which isn't as good as ipf which isn't as good as 
>the built in firewalling in windows xp (the last one was a joke btw).
>
OK I'll bight :-)

I think they are both excellent (Dave blinks and holds onto desk for support). But for obvious reasons they are OS specific. 

But as Dave points out, for a gateway/firewall I'd go with 'pf'. The reason for this is that the underlying OS (OpenBSD) is fully audited for security. This makes it very stable. Pf is also very quick now.

Netfilter has had some security problems in the past - logging (or NOT!), ftp-proxy, NAT, and will no doubt have some more in the future :-(