On Sat, 18 Jan 2003, Scott Francis wrote:
2. I happen to like a host-based firewall (a firewall running on a normal user OS like FreeBSD) better than an appliance. You get to do anything you need with it, you have a full compliment of unix tools like grep and awk and tcpdump and expect, etc. - it seems like you have more control. Assuming (for a moment) that performance were equal, does anyone else feel this way ? Does anyone else prefer a normal system for a firewall over, say, a PIX ?
I'm with you on that, mainly for (a) flexibility of configuration, (b) ease/speed of upgrades/patches, and (c) price involved in purchase and maintenance. Also as you mentioned, a firewall that starts out just filtering can later be modified easily to capture packets for analysis later, run active or passive intrusion detection, etc.
I'm in total agreement as to the untily and significant headache-reduction that a *bsd os (with real interactive editor makes -- Vi for IOS must be too challenging). However, I do see a sore spot. One area that I've not seen much attention paid to (yet?) is failover. Don't assume that I'm advocating the use of a PIX here, but has anyone yet successfully used ipf/pf to export and then import the state tables on a backup host? In my experience, doing that w/ PIXen has been quite simple. Forget all the ARP/ifconfig/heartbeat fudgery that'd be required to acheive failover on *bsd with ipf/pf -- just finding a simple way to move said state table from host to host seems interesting and challenging. How do we adress availability concerns while using comodity hardware and Os's? Are they valid concerns, even? <G> --Tk