Re: Firewall OS choice

[matthew sporleder <msporleder%gmail.com@localhost>]

On Sat, Jul 17, 2010 at 7:19 PM, Michael T. Davis
<DAVISM%ecr6.ohio-state.edu@localhost> wrote:
>        We have an ancient firewall installed in one area running OpenBSD 2.8
> and IPFilter v3.3.18.  It's hardware is configured as an "appliance," so
> updating the software isn't all that straightforward (to put it nicely).  I am
> contemplating upgrading the hardware, and switching to a BSD flavor that
> continues to provide built-in support for IPFilter.  Besides NetBSD, I'm also
> considering FreeBSD.  I realize the responses here will be somewhat biased
> (;-), but is NetBSD a good choice for this application, esp. compared to
> FreeBSD (or vice versa)?
>
>        On a related note, the support for IPFilter in NetBSD 5.0.2 doesn't
> seem to provide a mechanism for specifying an alternate configuration file;
> it's hardcoded to use /etc/ipf.conf and/or /etc/ipf6.conf.  With the ancient
> IPFilter build in the aforementioned environment, there was native support
> for specifying a different file.  I have modified /etc/rc.d/ipfilter and
> /etc/rc.d/ipnat in NetBSD 5.0.2 to provide for specifying different
> configuration files.  Where is the best place to post my diffs and allow
> others to evaluate them?
>

NetBSD is a great choice and I thought you'd be able to override your
config file with rc.conf's ipfilter_flags but then I looked at
rc.d/ipfilter and saw tons of [ -f /etc/ipf.conf ], so I guess you'd
have to adjust that while you're bringing your rules up to date with
the newer ipf if you wanted to take full advantage of the script.  :)

In general you can submit a pr with your changes.
http://www.NetBSD.org/cgi-bin/sendpr.cgi?gndb=netbsd