[wplug] pf and openbsd
Michael Semcheski
mhsemcheski at gmail.com
Wed Feb 6 10:41:58 EST 2008
Just in case we don't get a pf tutorial at an upcoming GUM, but your
interest in pf and OpenBSD is piqued, check out:
http://www.openbsd.org/faq/pf/index.html
pf is a fantastic firewall. I don't know if you can do everything in
iptables that you can with pf. e.g., authpf. authpf alllows you to
add special firewall rules for people who have authenticated. For
example, you could set things up to only allow connections to a
certain port if the user is already connected via ssh.
On Feb 6, 2008 9:13 AM, Duncan Hutty <dhutty+wplug at ece.cmu.edu> wrote:
> Brian A. Seklecki wrote:
> > Move fast. Time of of the essence. Put an OpenBSD box in front of it
> > running pf(4) and pray that no one ever reads your SMTP headers.
> >
> > ~BAS
> >
> Bad Lava. I don't think he was looking for BSD evangelism.
>
> You know that it's perfectly possible to run nice safe linux boxen as routers for this situation. You should also be aware that there are plenty of large organisations including local .edu installations that have linux machines on publicly routable addresses without firewalls or NAT without getting compromised all the time.
>
> The OP should realise the risks (which it appears that he does) and
> assess whether he has the skills/knowledge/time (or the inclination to
> learn them) in order to mitigate those risks down to what he considers
> to be acceptable levels for this situation. This is the fundamental
> question in security. And well you know it.
>
> If, on the other hand, you want to suggest that OpenBSD/pf would be a
> better solution for this situation. I'm sure wplug would be interested
> in a presentation complete with analysis and howto:)
> --
> Duncan Hutty
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>
More information about the wplug
mailing list