pf or iptables? - Security

This is a discussion on pf or iptables? - Security ; well any preferences? performance issues? or is it just a choice between good and good?...

+ Reply to Thread
Results 1 to 10 of 10

Thread: pf or iptables?

  1. pf or iptables?

    well
    any preferences?
    performance issues?
    or is it just a choice between good and good?

  2. Re: pf or iptables?

    There's a stable pf port for Linux?

    C.


  3. Re: pf or iptables?

    C. wrote:
    > There's a stable pf port for Linux?

    alrighty then...let's expand for the hair splitters
    would you use OpenBSD/pf or Linux/iptables?
    experienced opinions?

  4. Re: pf or iptables?

    On Fri, 03 Mar 2006 08:11:11 -0500, prodigal1 wrote:

    > C. wrote:
    >> There's a stable pf port for Linux?

    > alrighty then...let's expand for the hair splitters
    > would you use OpenBSD/pf or Linux/iptables?
    > experienced opinions?


    Well I don't have any experience with pf but this is what I would say,

    If you are using BSD then go with pf
    If you are using linux then go with iptables.


    --

    Regards
    Robert

    Smile... it increases your face value!


    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----

  5. Re: pf or iptables?

    Robert wrote:
    > On Fri, 03 Mar 2006 08:11:11 -0500, prodigal1 wrote:
    > > C. wrote:
    > >> There's a stable pf port for Linux?

    > > alrighty then...let's expand for the hair splitters
    > > would you use OpenBSD/pf or Linux/iptables?
    > > experienced opinions?

    >
    > Well I don't have any experience with pf but this is what I would say,
    >
    > If you are using BSD then go with pf
    > If you are using linux then go with iptables.


    .... because you have no choice if just the two are considered. :-)

    --
    M.


  6. Re: pf or iptables?

    Robert :
    > On Fri, 03 Mar 2006 08:11:11 -0500, prodigal1 wrote:
    >
    > > C. wrote:
    > >> There's a stable pf port for Linux?

    > > alrighty then...let's expand for the hair splitters
    > > would you use OpenBSD/pf or Linux/iptables?
    > > experienced opinions?

    >
    > Well I don't have any experience with pf but this is what I would say,
    >
    > If you are using BSD then go with pf
    > If you are using linux then go with iptables.


    Our local user group (http://cuug.ab.ca/) recently hosted a
    presentation by OpenBSD's pf maintainer. He demonstrated two small
    Sokris boxes running pf in high availability, failover mode with no
    loss of traffic when one was rebooted. He streamed an audio file
    across the network during the operation. FWIW, the OpenBSD crowd
    speak of iptables (and Linux, for that matter) derisively.

    It's rumoured that every (many? some?) US-DOJ workstations hang
    off their own dedicated OpenBSD firewall.

    The best simple (ie., no fscking GUI configurator) iptables firewall
    script I've seen is Arno's iptables ("Arno's iptables-firewall",
    http://rocky.molphys.leidenuniv.nl/, or [shameless plug]
    http://linuxgazette.net/114/keeling.html for a description of it in
    action). It's ca. 3000 lines long (though that does include many
    comment lines). I've seen many bulletproof pf firewall scripts that
    fit on one terminal screen.


    --
    Any technology distinguishable from magic is insufficiently advanced.
    (*) http://www.spots.ab.ca/~keeling Linux Counter #80292
    - - Spammers! http://www.spots.ab.ca/~keeling/emails.html
    http://www.ietf.org/rfc/rfc1855.txt

  7. Re: pf or iptables?

    s. keeling wrote:
    > ... FWIW, the OpenBSD crowd
    > speak of iptables (and Linux, for that matter) derisively.


    Would you expect them saying Linux+iptables is better than Open+pf and
    they are working to improve their stuff to reach the level of
    Linux+iptables? ;-)

    > The best simple (ie., no fscking GUI configurator) iptables firewall
    > script I've seen is Arno's iptables ("Arno's iptables-firewall",
    > http://rocky.molphys.leidenuniv.nl/, or [shameless plug]
    > http://linuxgazette.net/114/keeling.html for a description of it in
    > action). It's ca. 3000 lines long (though that does include many
    > comment lines). I've seen many bulletproof pf firewall scripts that
    > fit on one terminal screen.


    Check this: to find a
    number of examples of "bulletproof" iptables scripts that fit on one
    terminal screen.

    --
    Mikhail


  8. Re: pf or iptables?

    On Sun, 05 Mar 2006 20:54:01 -0800, Mikhail Zotov wrote:

    > s. keeling wrote:
    >> ... FWIW, the OpenBSD crowd
    >> speak of iptables (and Linux, for that matter) derisively.

    >
    > Would you expect them saying Linux+iptables is better than Open+pf and
    > they are working to improve their stuff to reach the level of
    > Linux+iptables? ;-)


    that makes it, Mikhail-2, the_rest=nil
    I think I'll just have to set up two test boxes and have a go at it and
    see which one I like better.
    cheers

  9. Re: pf or iptables?

    prodigal1 wrote:

    > On Sun, 05 Mar 2006 20:54:01 -0800, Mikhail Zotov wrote:
    >
    >>
    >> Would you expect them saying Linux+iptables is better than Open+pf and
    >> they are working to improve their stuff to reach the level of
    >> Linux+iptables? ;-)

    >
    > that makes it, Mikhail-2, the_rest=nil
    > I think I'll just have to set up two test boxes and have a go at it and
    > see which one I like better.
    >


    At last - a sensible post in this topic (although it's the OP answering his
    own question).

    As Mikhail points out, the answer you get is always going to depend on whom
    you ask. This is comp.os.linux.security. Making a judgement as to which is
    better for you is quite a different thing from saying which is technically
    superior / more fully functional. And certainly can't be answered from a 4
    line usenet post.

    What would really be cool would be if you (prodigal1) were to publish to
    findings on the web and the post the URL back here.

    C.


  10. Re: pf or iptables?

    Colin McKinnon sez:
    > prodigal1 wrote:
    >
    >> On Sun, 05 Mar 2006 20:54:01 -0800, Mikhail Zotov wrote:
    >>
    >>>
    >>> Would you expect them saying Linux+iptables is better than Open+pf and
    >>> they are working to improve their stuff to reach the level of
    >>> Linux+iptables? ;-)

    >>
    >> that makes it, Mikhail-2, the_rest=nil
    >> I think I'll just have to set up two test boxes and have a go at it and
    >> see which one I like better.
    >>

    >
    > At last - a sensible post in this topic (although it's the OP answering his
    > own question).
    >
    > As Mikhail points out, the answer you get is always going to depend on whom
    > you ask. This is comp.os.linux.security. Making a judgement as to which is
    > better for you is quite a different thing from saying which is technically
    > superior / more fully functional. And certainly can't be answered from a 4
    > line usenet post.


    Last I looked at pf, it had this silly logging mechanism where you had
    to pipe its log through tcpdump to get something readable out. Not that
    that's hard -- but it's a few extra steps if you want to send the logs
    to loghost and summarize them there. Also, I don't remember seeing an
    equivalent of iptables' recent match module in pf -- that's very handy
    with ssh worms.

    Other than these, I can't think of anything in terms of functionality.

    Dima
    --
    .... with the exception of January and February 1900, all Microsoft application
    libraries counted dates the same way.
    -- An Interview with Joel Spolsky of JoelonSoftware

+ Reply to Thread