Linked by Thom Holwerda on Wed 15th Sep 2010 14:27 UTC, submitted by Ed
NetBSD "The NetBSD Foundation is pleased to announce NPF, a new packet filter by Mindaugas Rasiukevicius. NPF is designed for high performance on multiprocessor machines, and for easy extensibility."
Thread beginning with comment 441517
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: GUI interface needed
by foldingstock on Fri 17th Sep 2010 18:10 UTC in reply to "GUI interface needed"
foldingstock
Member since:
2008-10-30

It's been a few years since I've used OpenBSD and FreeBSD (and perhaps things have changed), but back when I used the BSDs I felt that there was a vital need for a GUI interface to configure these packet-filtering systems. There are a number of GUI front-ends for Linux's system (iptables), my favorite one being Guarddog because it makes it easy to target which ports you want to block. There are even simpler tools like Firestarter, but these don't give you so many tweaking options - nevertheless, it's adequate for 99% of desktop users.


If you need a GUI to configure a firewall, the *BSD operating systems really aren't for you.

Firestarter is a poor excuse for a firewall frontend and Guarddog is a complete joke that is lacking many features. These are fine on simple home machines, as that is their intended use, but no knowledgeable system admin would use them on a server. Any good Linux admin would use iptables, from the command line, because of the sheer control the command line allows when compared to a limiting GUI application.

Both FreeBSD and OpenBSD provide excellent documentation for configuring IPFW/PF, especially when compared to iptables on Linux. All that is required by the end user is a little reading and the ability to follow instructions. If you cannot do this, you have no reason to be administrating such a complex firewall to begin with.

If you're building your own firewall from scratch, and you have programming skills, a GUI might not matter. But for dumb end-users like myself, spending hours or days trying to write firewall rules just isn't worth the hassle - especially since I'm not good at it and thus may unknowingly leave a big hole in my firewall.


Writing firewall rules in a configuration file is not the same as programming by any stretch of the imagination. Using your logic, it could be reasoned that no end user could ever configure a hard drive mount because "programming" /etc/fstab is just too difficult. Please.

Reply Parent Score: 1

RE[2]: GUI interface needed
by sorpigal on Fri 17th Sep 2010 21:56 in reply to "RE: GUI interface needed"
sorpigal Member since:
2005-11-02

It's not so much that one needs a GUI as it is that having a usable GUI makes it easier to stand behind the recommendation of a solution which will survive me departing the company. If the MCSE can't poke his way through it then it's too expensive a solution.

Reply Parent Score: 2

RE[3]: GUI interface needed
by phoenix on Fri 17th Sep 2010 22:59 in reply to "RE[2]: GUI interface needed"
phoenix Member since:
2005-07-11

If the MCSE doesn't know enough about networking to understand English sentences (allow protocol from subnet to subnet in recv interface), then they have no business being anywhere near a firewall, let alone a network server of any kind. ;)

A well-documented text file is a heck of a lot easier to understand than a bunch of icons and arrows onscreen.

Reply Parent Score: 2