Computing and Information Services

Drawbridge

1) Is there a version of Drawbridge for Linux?  Can Drawbridge be
   ported to Linux?

     The Drawbridge packet filtering is done by code added to the FreeBSD
     kernel.  Since it is a kernel patch, it is very OS dependent.  The
     FreeBSD kernel code is very different from the Linux kernel code so
     it would basically require a complete rewrite of Drawbridge to
     incorporate it into the Linux kernel.  Not only would the initial
     effort be great, maintaining two code bases would require way too
     much work.  Because of these factors, we don't plan on releasing a
     Linux version of Drawbridge.

2) Why FreeBSD instead of Linux?

     The biggest reason is that at the time when Drawbridge was moved
     from DOS to unix (1996), Linux did not have any FDDI drivers and
     FreeBSD did.  Since we needed an FDDI firewall, it was an easy
     choice.  Additionally, in my opinion, the networking code of FreeBSD
     was better organized and better documented - at least in '97.  I
     like Linux as much as FreeBSD and they both have their uses.

3) I want to allow only a specific host or set of hosts on the outside to
   connect to a specific host on the inside.  Is this possible?

     Drawbridge doesn't currently support filtering based on the outside
     IP address.  There's no way to open a port to a subset of outside
     hosts - it's all or nothing.  This was a design decision - it's not
     an easy thing to do and still keep constant time lookups.  All of
     the packet filters that I know of which allow source/destination
     filtering use a linear list of filter rules.  As the number of rules
     increase, the performance decreases.  It was felt that performance
     was more important than source/destination filtering so a compromise
     was made to allow constant time lookups no matter how many hosts and
     filter rules are defined.  We are currently thinking of ways to
     implement source/destination filters without giving up constant time
     lookups but no code has been written yet.  For now, you can use a
     two part solution.  Open the port on the firewall for all outside
     hosts and then use something like tcpwrappers on the inside host to
     restrict who can connect.
     
4) How fast of computer do I need to support x amount of traffic using
   abc ethernet cards?

     It's hard to say.  Throughput depends not only on the CPU speed but
     also on the NIC's and the NIC drivers.  The only real way to tell if
     the hardware and NIC's are fast enough is to give it a try.